import CS scap-security-guide-0.1.69-2.el8
This commit is contained in:
parent
01d4307a78
commit
8e61abb8f1
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||||
SOURCES/scap-security-guide-0.1.66.tar.bz2
|
SOURCES/scap-security-guide-0.1.69.tar.bz2
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||||
fdef63150c650bc29c06eea0aba6092688ab60a9 SOURCES/scap-security-guide-0.1.66.tar.bz2
|
60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2
|
||||||
|
@ -1,106 +0,0 @@
|
|||||||
From f9a787045807d22b0bca3d028f265cb6f87f681c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Watson Sato <wsato@redhat.com>
|
|
||||||
Date: Tue, 7 Feb 2023 10:53:18 +0100
|
|
||||||
Subject: [PATCH 4/5] Change custom zones check in firewalld_sshd_port_enabled
|
|
||||||
|
|
||||||
Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
|
|
||||||
Patch-status: Change custom zones check in firewalld_sshd_port_enabled
|
|
||||||
---
|
|
||||||
.../oval/shared.xml | 68 +++++++++++++++----
|
|
||||||
1 file changed, 54 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
||||||
index 4adef2e53f..d7c96665b4 100644
|
|
||||||
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
||||||
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
||||||
@@ -133,9 +133,10 @@
|
|
||||||
OVAL resources in order to detect and assess only active zone, which are zones with at
|
|
||||||
least one NIC assigned to it. Since it was possible to easily have the list of active
|
|
||||||
zones, it was cumbersome to use that list in other OVAL objects without introduce a high
|
|
||||||
- level of complexity to make sure environments with multiple NICs and multiple zones are
|
|
||||||
- in use. So, in favor of simplicity and readbility it was decided to work with a static
|
|
||||||
- list. It means that, in the future, it is possible this list needs to be updated. -->
|
|
||||||
+ level of complexity to ensure proper assessment in environments where multiple NICs and
|
|
||||||
+ multiple zones are in use. So, in favor of simplicity and readbility it was decided to
|
|
||||||
+ work with a static list. It means that, in the future, it is possible this list needs to
|
|
||||||
+ be updated. -->
|
|
||||||
<local_variable id="var_firewalld_sshd_port_enabled_default_zones" version="1"
|
|
||||||
datatype="string"
|
|
||||||
comment="Regex containing the list of zones files delivered in the firewalld package">
|
|
||||||
@@ -145,23 +146,62 @@
|
|
||||||
<!-- If any default zone is modified by the administrator, the respective zone file is placed
|
|
||||||
in the /etc/firewalld/zones dir in order to override the default zone settings. The same
|
|
||||||
directory is applicable for new zones created by the administrator. Therefore, all files
|
|
||||||
- in this directory should also allow SSH. -->
|
|
||||||
- <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
|
|
||||||
+ in this directory should also allow SSH.
|
|
||||||
+ This test was updated in a reaction to https://github.com/OpenSCAP/openscap/issues/1923,
|
|
||||||
+ which changed the behaviour of xmlfilecontent probe in OpenSCAP 1.3.7. Currently, a
|
|
||||||
+ variable test is the simplest way to check if all custom zones are allowing ssh, but have
|
|
||||||
+ an impact in transparency since the objects are not shown in reports. The transparency
|
|
||||||
+ impact can be workarounded by using other OVAL objects, but this would impact in
|
|
||||||
+ readability and would increase complexity. This solution is in favor of simplicity. -->
|
|
||||||
+ <ind:variable_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
|
|
||||||
check="all" check_existence="at_least_one_exists" version="1"
|
|
||||||
comment="SSH service is defined in all zones created or modified by the administrator">
|
|
||||||
- <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
|
|
||||||
- <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>
|
|
||||||
- </ind:xmlfilecontent_test>
|
|
||||||
+ <ind:object
|
|
||||||
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"/>
|
|
||||||
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_custom_zone_files_count"/>
|
|
||||||
+ </ind:variable_test>
|
|
||||||
+
|
|
||||||
+ <ind:variable_object id="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
|
|
||||||
+ version="1">
|
|
||||||
+ <ind:var_ref>var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count</ind:var_ref>
|
|
||||||
+ </ind:variable_object>
|
|
||||||
+
|
|
||||||
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
|
|
||||||
+ datatype="int" version="1"
|
|
||||||
+ comment="Variable including number of custom zone files allowing ssh">
|
|
||||||
+ <count>
|
|
||||||
+ <object_component item_field="filepath"
|
|
||||||
+ object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
|
|
||||||
+ </count>
|
|
||||||
+ </local_variable>
|
|
||||||
|
|
||||||
<ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
|
||||||
- <ind:path>/etc/firewalld/zones</ind:path>
|
|
||||||
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
|
||||||
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
|
||||||
+ <ind:path>/etc/firewalld/zones</ind:path>
|
|
||||||
+ <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
|
||||||
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
|
||||||
</ind:xmlfilecontent_object>
|
|
||||||
|
|
||||||
- <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
|
||||||
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
|
||||||
- </ind:xmlfilecontent_state>
|
|
||||||
+ <ind:variable_state id="state_firewalld_sshd_port_enabled_custom_zone_files_count"
|
|
||||||
+ version="1">
|
|
||||||
+ <ind:value datatype="int" operation="equals" var_check="at least one"
|
|
||||||
+ var_ref="var_firewalld_sshd_port_enabled_custom_zone_files_count"/>
|
|
||||||
+ </ind:variable_state>
|
|
||||||
+
|
|
||||||
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_count"
|
|
||||||
+ datatype="int" version="1"
|
|
||||||
+ comment="Variable including number of custom zone files present in /etc/firewalld/zones">
|
|
||||||
+ <count>
|
|
||||||
+ <object_component item_field="filepath"
|
|
||||||
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files"/>
|
|
||||||
+ </count>
|
|
||||||
+ </local_variable>
|
|
||||||
+
|
|
||||||
+ <unix:file_object id="object_firewalld_sshd_port_enabled_custom_zone_files" version="1">
|
|
||||||
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
|
|
||||||
+ recurse_file_system="local"/>
|
|
||||||
+ <unix:path>/etc/firewalld/zones</unix:path>
|
|
||||||
+ <unix:filename operation="pattern match">^.*\.xml$</unix:filename>
|
|
||||||
+ </unix:file_object>
|
|
||||||
|
|
||||||
<!-- SSH service is configured as expected -->
|
|
||||||
<!-- The firewalld package brings many services already defined out-of-box, including SSH.
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
@ -1,122 +0,0 @@
|
|||||||
From a8236abf709c577152cb96876fcc27c8cf173e66 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Watson Sato <wsato@redhat.com>
|
|
||||||
Date: Wed, 8 Feb 2023 14:42:32 +0100
|
|
||||||
Subject: [PATCH 5/5] Accept required and requisite control flag for
|
|
||||||
pam_pwhistory
|
|
||||||
|
|
||||||
Patch-name: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
|
|
||||||
Patch-status: Accept required and requisite control flag for pam_pwhistory
|
|
||||||
---
|
|
||||||
controls/cis_rhel8.yml | 2 +-
|
|
||||||
controls/cis_rhel9.yml | 2 +-
|
|
||||||
controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml | 2 +-
|
|
||||||
.../rule.yml | 4 ++++
|
|
||||||
.../var_password_pam_remember_control_flag.var | 1 +
|
|
||||||
products/rhel8/profiles/stig.profile | 2 +-
|
|
||||||
tests/data/profile_stability/rhel8/stig.profile | 2 +-
|
|
||||||
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
|
|
||||||
8 files changed, 11 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
||||||
index c0406f97b8..efc53d03fd 100644
|
|
||||||
--- a/controls/cis_rhel8.yml
|
|
||||||
+++ b/controls/cis_rhel8.yml
|
|
||||||
@@ -2267,7 +2267,7 @@ controls:
|
|
||||||
rules:
|
|
||||||
- accounts_password_pam_pwhistory_remember_password_auth
|
|
||||||
- accounts_password_pam_pwhistory_remember_system_auth
|
|
||||||
- - var_password_pam_remember_control_flag=requisite
|
|
||||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
|
||||||
- var_password_pam_remember=5
|
|
||||||
|
|
||||||
- id: 5.5.4
|
|
||||||
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
|
|
||||||
index 7299a39528..30f7e8d182 100644
|
|
||||||
--- a/controls/cis_rhel9.yml
|
|
||||||
+++ b/controls/cis_rhel9.yml
|
|
||||||
@@ -2112,7 +2112,7 @@ controls:
|
|
||||||
rules:
|
|
||||||
- accounts_password_pam_pwhistory_remember_password_auth
|
|
||||||
- accounts_password_pam_pwhistory_remember_system_auth
|
|
||||||
- - var_password_pam_remember_control_flag=requisite
|
|
||||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
|
||||||
- var_password_pam_remember=5
|
|
||||||
|
|
||||||
- id: 5.5.4
|
|
||||||
diff --git a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
|
||||||
index 1e8286a4a4..b02b7da419 100644
|
|
||||||
--- a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
|
||||||
+++ b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
|
||||||
@@ -5,7 +5,7 @@ controls:
|
|
||||||
title: {{{ full_name }}} must prohibit password reuse for a minimum of five generations.
|
|
||||||
rules:
|
|
||||||
- var_password_pam_remember=5
|
|
||||||
- - var_password_pam_remember_control_flag=requisite
|
|
||||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
|
||||||
- accounts_password_pam_pwhistory_remember_password_auth
|
|
||||||
- accounts_password_pam_pwhistory_remember_system_auth
|
|
||||||
status: automated
|
|
||||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
|
||||||
index c549de2e96..d2b220ef9f 100644
|
|
||||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
|
||||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
|
||||||
@@ -129,3 +129,7 @@ warnings:
|
|
||||||
Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly
|
|
||||||
enable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your
|
|
||||||
system, an authselect custom profile must be used to avoid integrity issues in PAM files.
|
|
||||||
+ If a custom profile was created and used in the system before this authselect feature was
|
|
||||||
+ available, the new feature can't be used with this custom profile and the
|
|
||||||
+ remediation will fail. In this case, the custom profile should be recreated or manually
|
|
||||||
+ updated.
|
|
||||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
|
||||||
index 8f01007550..1959936c04 100644
|
|
||||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
|
||||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
|
||||||
@@ -20,4 +20,5 @@ options:
|
|
||||||
"sufficient": "sufficient"
|
|
||||||
"binding": "binding"
|
|
||||||
"ol8": "required,requisite"
|
|
||||||
+ "requisite_or_required": "requisite,required"
|
|
||||||
default: "requisite"
|
|
||||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
||||||
index 8c64868619..a3f7dc9720 100644
|
|
||||||
--- a/products/rhel8/profiles/stig.profile
|
|
||||||
+++ b/products/rhel8/profiles/stig.profile
|
|
||||||
@@ -37,7 +37,7 @@ selections:
|
|
||||||
- var_accounts_minimum_age_login_defs=1
|
|
||||||
- var_accounts_max_concurrent_login_sessions=10
|
|
||||||
- var_password_pam_remember=5
|
|
||||||
- - var_password_pam_remember_control_flag=requisite
|
|
||||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
|
||||||
- var_selinux_state=enforcing
|
|
||||||
- var_selinux_policy_name=targeted
|
|
||||||
- var_password_pam_unix_rounds=5000
|
|
||||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
||||||
index 6970a32b4f..5d694c6ae1 100644
|
|
||||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
||||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
||||||
@@ -433,7 +433,7 @@ selections:
|
|
||||||
- var_accounts_minimum_age_login_defs=1
|
|
||||||
- var_accounts_max_concurrent_login_sessions=10
|
|
||||||
- var_password_pam_remember=5
|
|
||||||
-- var_password_pam_remember_control_flag=requisite
|
|
||||||
+- var_password_pam_remember_control_flag=requisite_or_required
|
|
||||||
- var_selinux_state=enforcing
|
|
||||||
- var_selinux_policy_name=targeted
|
|
||||||
- var_password_pam_unix_rounds=5000
|
|
||||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
||||||
index 314f14e4f6..e165525b90 100644
|
|
||||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
||||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
||||||
@@ -441,7 +441,7 @@ selections:
|
|
||||||
- var_accounts_minimum_age_login_defs=1
|
|
||||||
- var_accounts_max_concurrent_login_sessions=10
|
|
||||||
- var_password_pam_remember=5
|
|
||||||
-- var_password_pam_remember_control_flag=requisite
|
|
||||||
+- var_password_pam_remember_control_flag=requisite_or_required
|
|
||||||
- var_selinux_state=enforcing
|
|
||||||
- var_selinux_policy_name=targeted
|
|
||||||
- var_password_pam_unix_rounds=5000
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
@ -1,147 +0,0 @@
|
|||||||
From 775dec7b479f9fa900fa46d174b202efc14407fa Mon Sep 17 00:00:00 2001
|
|
||||||
From: Watson Sato <wsato@redhat.com>
|
|
||||||
Date: Mon, 13 Feb 2023 11:14:40 +0100
|
|
||||||
Subject: [PATCH 6/6] remove rule logind_session_timeout and associated
|
|
||||||
variable from profiles
|
|
||||||
|
|
||||||
Patch-name: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
|
|
||||||
Patch-status: remove rule logind_session_timeout and associated variable from profiles
|
|
||||||
---
|
|
||||||
controls/anssi.yml | 2 --
|
|
||||||
products/rhel8/profiles/cjis.profile | 2 --
|
|
||||||
products/rhel8/profiles/ospp.profile | 2 --
|
|
||||||
products/rhel8/profiles/pci-dss.profile | 2 --
|
|
||||||
products/rhel8/profiles/rht-ccp.profile | 2 --
|
|
||||||
tests/data/profile_stability/rhel8/ospp.profile | 2 --
|
|
||||||
tests/data/profile_stability/rhel8/pci-dss.profile | 2 --
|
|
||||||
7 files changed, 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
|
||||||
index 607ce976ef..9e631d1de4 100644
|
|
||||||
--- a/controls/anssi.yml
|
|
||||||
+++ b/controls/anssi.yml
|
|
||||||
@@ -676,8 +676,6 @@ controls:
|
|
||||||
- var_accounts_tmout=10_min
|
|
||||||
- sshd_set_idle_timeout
|
|
||||||
- sshd_idle_timeout_value=10_minutes
|
|
||||||
- - logind_session_timeout
|
|
||||||
- - var_logind_session_timeout=10_minutes
|
|
||||||
- sshd_set_keepalive
|
|
||||||
|
|
||||||
- id: R30
|
|
||||||
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
|
|
||||||
index f60b65bc06..18394802b9 100644
|
|
||||||
--- a/products/rhel8/profiles/cjis.profile
|
|
||||||
+++ b/products/rhel8/profiles/cjis.profile
|
|
||||||
@@ -104,7 +104,6 @@ selections:
|
|
||||||
- sshd_allow_only_protocol2
|
|
||||||
- sshd_set_idle_timeout
|
|
||||||
- var_sshd_set_keepalive=0
|
|
||||||
- - logind_session_timeout
|
|
||||||
- sshd_set_keepalive_0
|
|
||||||
- disable_host_auth
|
|
||||||
- sshd_disable_root_login
|
|
||||||
@@ -120,7 +119,6 @@ selections:
|
|
||||||
- set_firewalld_default_zone
|
|
||||||
- firewalld_sshd_port_enabled
|
|
||||||
- sshd_idle_timeout_value=30_minutes
|
|
||||||
- - var_logind_session_timeout=30_minutes
|
|
||||||
- inactivity_timeout_value=30_minutes
|
|
||||||
- sysctl_net_ipv4_conf_default_accept_source_route
|
|
||||||
- sysctl_net_ipv4_tcp_syncookies
|
|
||||||
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
|
||||||
index 0fe17b2085..fb46ab4c0c 100644
|
|
||||||
--- a/products/rhel8/profiles/ospp.profile
|
|
||||||
+++ b/products/rhel8/profiles/ospp.profile
|
|
||||||
@@ -300,8 +300,6 @@ selections:
|
|
||||||
## We deliberately set sshd timeout to 1 minute before tmux lock timeout
|
|
||||||
- sshd_idle_timeout_value=14_minutes
|
|
||||||
- sshd_set_idle_timeout
|
|
||||||
- - logind_session_timeout
|
|
||||||
- - var_logind_session_timeout=14_minutes
|
|
||||||
|
|
||||||
## Disable Unauthenticated Login (such as Guest Accounts)
|
|
||||||
## FIA_UAU.1
|
|
||||||
diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
|
|
||||||
index c63c5f4a07..c0c9b12773 100644
|
|
||||||
--- a/products/rhel8/profiles/pci-dss.profile
|
|
||||||
+++ b/products/rhel8/profiles/pci-dss.profile
|
|
||||||
@@ -17,7 +17,6 @@ selections:
|
|
||||||
- var_accounts_passwords_pam_faillock_deny=6
|
|
||||||
- var_accounts_passwords_pam_faillock_unlock_time=1800
|
|
||||||
- sshd_idle_timeout_value=15_minutes
|
|
||||||
- - var_logind_session_timeout=15_minutes
|
|
||||||
- var_password_pam_minlen=7
|
|
||||||
- var_password_pam_minclass=2
|
|
||||||
- var_accounts_maximum_age_login_defs=90
|
|
||||||
@@ -110,7 +109,6 @@ selections:
|
|
||||||
- dconf_gnome_screensaver_lock_enabled
|
|
||||||
- dconf_gnome_screensaver_mode_blank
|
|
||||||
- sshd_set_idle_timeout
|
|
||||||
- - logind_session_timeout
|
|
||||||
- var_sshd_set_keepalive=0
|
|
||||||
- sshd_set_keepalive_0
|
|
||||||
- accounts_password_pam_minlen
|
|
||||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
|
||||||
index 0a00d2f46b..775727e885 100644
|
|
||||||
--- a/products/rhel8/profiles/rht-ccp.profile
|
|
||||||
+++ b/products/rhel8/profiles/rht-ccp.profile
|
|
||||||
@@ -12,7 +12,6 @@ selections:
|
|
||||||
- var_selinux_state=enforcing
|
|
||||||
- var_selinux_policy_name=targeted
|
|
||||||
- sshd_idle_timeout_value=5_minutes
|
|
||||||
- - var_logind_session_timeout=5_minutes
|
|
||||||
- var_accounts_minimum_age_login_defs=7
|
|
||||||
- var_accounts_passwords_pam_faillock_deny=5
|
|
||||||
- var_accounts_password_warn_age_login_defs=7
|
|
||||||
@@ -89,7 +88,6 @@ selections:
|
|
||||||
- package_telnet_removed
|
|
||||||
- sshd_allow_only_protocol2
|
|
||||||
- sshd_set_idle_timeout
|
|
||||||
- - logind_session_timeout
|
|
||||||
- var_sshd_set_keepalive=0
|
|
||||||
- sshd_set_keepalive_0
|
|
||||||
- disable_host_auth
|
|
||||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
|
||||||
index a31f3245d8..267b66a4f8 100644
|
|
||||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
|
||||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
|
||||||
@@ -104,7 +104,6 @@ selections:
|
|
||||||
- kernel_module_firewire-core_disabled
|
|
||||||
- kernel_module_sctp_disabled
|
|
||||||
- kernel_module_tipc_disabled
|
|
||||||
-- logind_session_timeout
|
|
||||||
- mount_option_boot_nodev
|
|
||||||
- mount_option_boot_nosuid
|
|
||||||
- mount_option_dev_shm_nodev
|
|
||||||
@@ -254,7 +253,6 @@ selections:
|
|
||||||
- var_password_pam_ucredit=1
|
|
||||||
- var_password_pam_lcredit=1
|
|
||||||
- sshd_idle_timeout_value=14_minutes
|
|
||||||
-- var_logind_session_timeout=14_minutes
|
|
||||||
- var_accounts_passwords_pam_faillock_deny=3
|
|
||||||
- var_accounts_passwords_pam_faillock_fail_interval=900
|
|
||||||
- var_accounts_passwords_pam_faillock_unlock_time=never
|
|
||||||
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
|
|
||||||
index 5c77ea6a85..902d0084fc 100644
|
|
||||||
--- a/tests/data/profile_stability/rhel8/pci-dss.profile
|
|
||||||
+++ b/tests/data/profile_stability/rhel8/pci-dss.profile
|
|
||||||
@@ -109,7 +109,6 @@ selections:
|
|
||||||
- gid_passwd_group_same
|
|
||||||
- grub2_audit_argument
|
|
||||||
- install_hids
|
|
||||||
-- logind_session_timeout
|
|
||||||
- no_empty_passwords
|
|
||||||
- package_aide_installed
|
|
||||||
- package_audispd-plugins_installed
|
|
||||||
@@ -137,7 +136,6 @@ selections:
|
|
||||||
- var_accounts_passwords_pam_faillock_deny=6
|
|
||||||
- var_accounts_passwords_pam_faillock_unlock_time=1800
|
|
||||||
- sshd_idle_timeout_value=15_minutes
|
|
||||||
-- var_logind_session_timeout=15_minutes
|
|
||||||
- var_password_pam_minlen=7
|
|
||||||
- var_password_pam_minclass=2
|
|
||||||
- var_accounts_maximum_age_login_defs=90
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,52 @@
|
|||||||
|
From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||||
|
Date: Tue, 8 Aug 2023 15:15:21 +0200
|
||||||
|
Subject: [PATCH] Remove kernel cmdline check
|
||||||
|
|
||||||
|
The OVAL in rule enable_fips_mode contains multiple checks. One
|
||||||
|
of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
|
||||||
|
Although this is useful for latest RHEL versions, this file doesn't
|
||||||
|
exist on RHEL 8.6 and 9.0. This causes that the rule fails after
|
||||||
|
remediation on these RHEL versions.
|
||||||
|
|
||||||
|
We want the same OVAL behavior on all minor RHEL releases, therefore
|
||||||
|
we will remove this test from the OVAL completely.
|
||||||
|
|
||||||
|
Related to: https://github.com/ComplianceAsCode/content/pull/10897
|
||||||
|
---
|
||||||
|
.../fips/enable_fips_mode/oval/shared.xml | 15 ---------------
|
||||||
|
1 file changed, 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||||
|
index 88aae7aaab9..3b50e07060e 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||||
|
@@ -12,8 +12,6 @@
|
||||||
|
comment="system cryptography policy is configured"/>
|
||||||
|
<criterion test_ref="test_system_crypto_policy_value"
|
||||||
|
comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
|
||||||
|
- <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||||
|
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
|
||||||
|
{{% if "ol" in product or "rhel" in product %}}
|
||||||
|
<criteria operator="OR">
|
||||||
|
<criteria operator="AND">
|
||||||
|
@@ -57,19 +55,6 @@
|
||||||
|
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
|
||||||
|
</ind:textfilecontent54_state>
|
||||||
|
|
||||||
|
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||||
|
- check="all" check_existence="all_exist"
|
||||||
|
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
|
||||||
|
- <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||||
|
- <ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||||
|
- </ind:textfilecontent54_test>
|
||||||
|
-
|
||||||
|
- <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
|
||||||
|
- <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
|
||||||
|
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
||||||
|
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
- </ind:textfilecontent54_object>
|
||||||
|
-
|
||||||
|
<ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||||
|
check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
|
||||||
|
<ind:object object_ref="obj_system_crypto_policy_value" />
|
@ -0,0 +1,272 @@
|
|||||||
|
From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Marcus Burghardt <maburgha@redhat.com>
|
||||||
|
Date: Thu, 27 Jul 2023 10:02:08 +0200
|
||||||
|
Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects
|
||||||
|
|
||||||
|
This commit only improves readability without any technical impact in
|
||||||
|
the OVAL logic.
|
||||||
|
---
|
||||||
|
.../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++-------
|
||||||
|
1 file changed, 50 insertions(+), 31 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||||
|
index fe3f96f52a5..0ec076a5fb7 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||||
|
@@ -1,32 +1,38 @@
|
||||||
|
<def-group>
|
||||||
|
- <definition class="compliance" id="enable_fips_mode" version="1">
|
||||||
|
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||||
|
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
|
||||||
|
<criteria operator="AND">
|
||||||
|
- <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
|
||||||
|
- <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
|
||||||
|
- <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
|
||||||
|
- <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
|
||||||
|
- <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
|
||||||
|
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
|
||||||
|
+ <extend_definition definition_ref="etc_system_fips_exists"
|
||||||
|
+ comment="check /etc/system-fips exists"/>
|
||||||
|
+ <extend_definition definition_ref="sysctl_crypto_fips_enabled"
|
||||||
|
+ comment="check sysctl crypto.fips_enabled = 1"/>
|
||||||
|
+ <extend_definition definition_ref="enable_dracut_fips_module"
|
||||||
|
+ comment="Dracut FIPS module is enabled"/>
|
||||||
|
+ <extend_definition definition_ref="configure_crypto_policy"
|
||||||
|
+ comment="system cryptography policy is configured"/>
|
||||||
|
+ <criterion test_ref="test_system_crypto_policy_value"
|
||||||
|
+ comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
|
||||||
|
+ <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||||
|
+ comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
|
||||||
|
{{% if "ol" in product or "rhel" in product %}}
|
||||||
|
<criteria operator="OR">
|
||||||
|
<criteria operator="AND">
|
||||||
|
- <extend_definition comment="Generic test for s390x architecture"
|
||||||
|
- definition_ref="system_info_architecture_s390_64" />
|
||||||
|
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
|
||||||
|
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
|
||||||
|
+ <extend_definition definition_ref="system_info_architecture_s390_64"
|
||||||
|
+ comment="Generic test for s390x architecture"/>
|
||||||
|
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||||
|
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||||
|
</criteria>
|
||||||
|
<criteria operator="AND">
|
||||||
|
<criteria negate="true">
|
||||||
|
- <extend_definition comment="Generic test for NOT s390x architecture"
|
||||||
|
- definition_ref="system_info_architecture_s390_64" />
|
||||||
|
+ <extend_definition definition_ref="system_info_architecture_s390_64"
|
||||||
|
+ comment="Generic test for NOT s390x architecture"/>
|
||||||
|
</criteria>
|
||||||
|
{{% if product in ["ol8", "rhel8"] %}}
|
||||||
|
- <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
|
||||||
|
- test_ref="test_grubenv_fips_mode" />
|
||||||
|
+ <criterion test_ref="test_grubenv_fips_mode"
|
||||||
|
+ comment="check if the kernel boot parameter is configured for FIPS mode"/>
|
||||||
|
{{% else %}}
|
||||||
|
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
|
||||||
|
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
|
||||||
|
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||||
|
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||||
|
{{% endif %}}
|
||||||
|
</criteria>
|
||||||
|
</criteria>
|
||||||
|
@@ -34,58 +40,71 @@
|
||||||
|
</criteria>
|
||||||
|
</definition>
|
||||||
|
|
||||||
|
- <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||||
|
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
|
||||||
|
- check="all" check_existence="all_exist" version="1">
|
||||||
|
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
|
||||||
|
+ check="all" check_existence="all_exist"
|
||||||
|
+ comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
|
||||||
|
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
|
||||||
|
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||||
|
</ind:textfilecontent54_test>
|
||||||
|
+
|
||||||
|
<ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
|
||||||
|
<ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
|
||||||
|
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
||||||
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
</ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
<ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
|
||||||
|
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
|
||||||
|
</ind:textfilecontent54_state>
|
||||||
|
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||||
|
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
|
||||||
|
- check="all" check_existence="all_exist" version="1">
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||||
|
+ check="all" check_existence="all_exist"
|
||||||
|
+ comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
|
||||||
|
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||||
|
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||||
|
</ind:textfilecontent54_test>
|
||||||
|
+
|
||||||
|
<ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
|
||||||
|
<ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
|
||||||
|
<ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
||||||
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
</ind:textfilecontent54_object>
|
||||||
|
|
||||||
|
- <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
|
||||||
|
+ <ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||||
|
+ check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
|
||||||
|
<ind:object object_ref="obj_system_crypto_policy_value" />
|
||||||
|
<ind:state state_ref="ste_system_crypto_policy_value" />
|
||||||
|
</ind:variable_test>
|
||||||
|
+
|
||||||
|
<ind:variable_object id="obj_system_crypto_policy_value" version="1">
|
||||||
|
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
|
||||||
|
</ind:variable_object>
|
||||||
|
- <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
|
||||||
|
+
|
||||||
|
+ <ind:variable_state id="ste_system_crypto_policy_value" version="2"
|
||||||
|
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
|
||||||
|
{{% if product in ["ol9","rhel9"] -%}}
|
||||||
|
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
|
||||||
|
{{%- else %}}
|
||||||
|
- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
|
||||||
|
+ {{# Legacy and more relaxed list of crypto policies that were historically considered
|
||||||
|
+ FIPS-compatible. More recent products should use the more restricted list of options #}}
|
||||||
|
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
|
||||||
|
{{%- endif %}}
|
||||||
|
</ind:variable_state>
|
||||||
|
+
|
||||||
|
{{% if product in ["ol8","rhel8"] %}}
|
||||||
|
- <ind:textfilecontent54_test check="all" check_existence="all_exist" id="test_grubenv_fips_mode"
|
||||||
|
- comment="Fips mode selected in running kernel opts" version="1">
|
||||||
|
+ <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
|
||||||
|
+ check="all" check_existence="all_exist"
|
||||||
|
+ comment="Fips mode selected in running kernel opts">
|
||||||
|
<ind:object object_ref="obj_grubenv_fips_mode" />
|
||||||
|
</ind:textfilecontent54_test>
|
||||||
|
- <ind:textfilecontent54_object id="obj_grubenv_fips_mode"
|
||||||
|
- version="1">
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="obj_grubenv_fips_mode" version="1">
|
||||||
|
<ind:filepath>/boot/grub2/grubenv</ind:filepath>
|
||||||
|
<ind:pattern operation="pattern match">fips=1</ind:pattern>
|
||||||
|
<ind:instance datatype="int">1</ind:instance>
|
||||||
|
</ind:textfilecontent54_object>
|
||||||
|
{{% endif %}}
|
||||||
|
- <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
|
||||||
|
+
|
||||||
|
+ <external_variable id="var_system_crypto_policy" version="1"
|
||||||
|
+ datatype="string" comment="defined crypto policy"/>
|
||||||
|
</def-group>
|
||||||
|
|
||||||
|
From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Marcus Burghardt <maburgha@redhat.com>
|
||||||
|
Date: Thu, 27 Jul 2023 10:20:33 +0200
|
||||||
|
Subject: [PATCH 2/2] Improve OVAL comments for better readability
|
||||||
|
|
||||||
|
Simplified the comments and aligned the respective lines to the
|
||||||
|
project Style Guides.
|
||||||
|
---
|
||||||
|
.../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++---------
|
||||||
|
1 file changed, 16 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||||
|
index 0ec076a5fb7..88aae7aaab9 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||||
|
@@ -3,36 +3,36 @@
|
||||||
|
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
|
||||||
|
<criteria operator="AND">
|
||||||
|
<extend_definition definition_ref="etc_system_fips_exists"
|
||||||
|
- comment="check /etc/system-fips exists"/>
|
||||||
|
+ comment="check /etc/system-fips file existence"/>
|
||||||
|
<extend_definition definition_ref="sysctl_crypto_fips_enabled"
|
||||||
|
- comment="check sysctl crypto.fips_enabled = 1"/>
|
||||||
|
+ comment="check option crypto.fips_enabled = 1 in sysctl"/>
|
||||||
|
<extend_definition definition_ref="enable_dracut_fips_module"
|
||||||
|
- comment="Dracut FIPS module is enabled"/>
|
||||||
|
+ comment="dracut FIPS module is enabled"/>
|
||||||
|
<extend_definition definition_ref="configure_crypto_policy"
|
||||||
|
comment="system cryptography policy is configured"/>
|
||||||
|
<criterion test_ref="test_system_crypto_policy_value"
|
||||||
|
- comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
|
||||||
|
+ comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
|
||||||
|
<criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||||
|
- comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
|
||||||
|
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
|
||||||
|
{{% if "ol" in product or "rhel" in product %}}
|
||||||
|
<criteria operator="OR">
|
||||||
|
<criteria operator="AND">
|
||||||
|
<extend_definition definition_ref="system_info_architecture_s390_64"
|
||||||
|
- comment="Generic test for s390x architecture"/>
|
||||||
|
+ comment="generic test for s390x architecture"/>
|
||||||
|
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||||
|
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||||
|
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
|
||||||
|
</criteria>
|
||||||
|
<criteria operator="AND">
|
||||||
|
<criteria negate="true">
|
||||||
|
<extend_definition definition_ref="system_info_architecture_s390_64"
|
||||||
|
- comment="Generic test for NOT s390x architecture"/>
|
||||||
|
+ comment="generic test for non-s390x architecture"/>
|
||||||
|
</criteria>
|
||||||
|
{{% if product in ["ol8", "rhel8"] %}}
|
||||||
|
<criterion test_ref="test_grubenv_fips_mode"
|
||||||
|
comment="check if the kernel boot parameter is configured for FIPS mode"/>
|
||||||
|
{{% else %}}
|
||||||
|
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||||
|
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||||
|
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
|
||||||
|
{{% endif %}}
|
||||||
|
</criteria>
|
||||||
|
</criteria>
|
||||||
|
@@ -42,7 +42,7 @@
|
||||||
|
|
||||||
|
<ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
|
||||||
|
check="all" check_existence="all_exist"
|
||||||
|
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
|
||||||
|
+ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf">
|
||||||
|
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
|
||||||
|
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||||
|
</ind:textfilecontent54_test>
|
||||||
|
@@ -59,7 +59,7 @@
|
||||||
|
|
||||||
|
<ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||||
|
check="all" check_existence="all_exist"
|
||||||
|
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
|
||||||
|
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
|
||||||
|
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||||
|
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||||
|
</ind:textfilecontent54_test>
|
||||||
|
@@ -71,7 +71,7 @@
|
||||||
|
</ind:textfilecontent54_object>
|
||||||
|
|
||||||
|
<ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||||
|
- check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
|
||||||
|
+ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
|
||||||
|
<ind:object object_ref="obj_system_crypto_policy_value" />
|
||||||
|
<ind:state state_ref="ste_system_crypto_policy_value" />
|
||||||
|
</ind:variable_test>
|
||||||
|
@@ -81,7 +81,8 @@
|
||||||
|
</ind:variable_object>
|
||||||
|
|
||||||
|
<ind:variable_state id="ste_system_crypto_policy_value" version="2"
|
||||||
|
- comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
|
||||||
|
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds
|
||||||
|
+to a crypto policy module that further restricts the modified crypto policy.">
|
||||||
|
{{% if product in ["ol9","rhel9"] -%}}
|
||||||
|
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
|
||||||
|
{{%- else %}}
|
||||||
|
@@ -94,7 +95,7 @@
|
||||||
|
{{% if product in ["ol8","rhel8"] %}}
|
||||||
|
<ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
|
||||||
|
check="all" check_existence="all_exist"
|
||||||
|
- comment="Fips mode selected in running kernel opts">
|
||||||
|
+ comment="FIPS mode is selected in running kernel options">
|
||||||
|
<ind:object object_ref="obj_grubenv_fips_mode" />
|
||||||
|
</ind:textfilecontent54_test>
|
||||||
|
|
||||||
|
@@ -106,5 +107,5 @@
|
||||||
|
{{% endif %}}
|
||||||
|
|
||||||
|
<external_variable id="var_system_crypto_policy" version="1"
|
||||||
|
- datatype="string" comment="defined crypto policy"/>
|
||||||
|
+ datatype="string" comment="variable which selects the crypto policy"/>
|
||||||
|
</def-group>
|
@ -0,0 +1,30 @@
|
|||||||
|
From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Thu, 17 Aug 2023 10:50:09 +0200
|
||||||
|
Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
|
||||||
|
products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
|
||||||
|
2 files changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
|
||||||
|
index e2eeabbb78d..204e141b1f5 100644
|
||||||
|
--- a/products/rhel8/profiles/anssi_bp28_high.profile
|
||||||
|
+++ b/products/rhel8/profiles/anssi_bp28_high.profile
|
||||||
|
@@ -17,3 +17,5 @@ description: |-
|
||||||
|
|
||||||
|
selections:
|
||||||
|
- anssi:all:high
|
||||||
|
+ # the following rule renders UEFI systems unbootable
|
||||||
|
+ - '!sebool_secure_mode_insmod'
|
||||||
|
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
|
||||||
|
index e2eeabbb78d..204e141b1f5 100644
|
||||||
|
--- a/products/rhel9/profiles/anssi_bp28_high.profile
|
||||||
|
+++ b/products/rhel9/profiles/anssi_bp28_high.profile
|
||||||
|
@@ -17,3 +17,5 @@ description: |-
|
||||||
|
|
||||||
|
selections:
|
||||||
|
- anssi:all:high
|
||||||
|
+ # the following rule renders UEFI systems unbootable
|
||||||
|
+ - '!sebool_secure_mode_insmod'
|
@ -5,7 +5,7 @@
|
|||||||
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
||||||
|
|
||||||
Name: scap-security-guide
|
Name: scap-security-guide
|
||||||
Version: 0.1.66
|
Version: 0.1.69
|
||||||
Release: 2%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: Security guidance and baselines in SCAP formats
|
Summary: Security guidance and baselines in SCAP formats
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
@ -15,17 +15,12 @@ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{versio
|
|||||||
# Include tarball with last released rhel6 content
|
# Include tarball with last released rhel6 content
|
||||||
Source1: %{_static_rhel6_content}.tar.bz2
|
Source1: %{_static_rhel6_content}.tar.bz2
|
||||||
# Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
|
# Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
|
||||||
Patch0: disable-not-in-good-shape-profiles.patch
|
Patch0: disable-not-in-good-shape-profiles.patch
|
||||||
# Rsyslog files rules remediations
|
# Fix rule enable_fips_mode
|
||||||
Patch1: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch
|
Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
|
||||||
# Extends rsyslog_logfiles_attributes_modify template for permissions
|
Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
|
||||||
Patch2: scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch
|
# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
|
||||||
# Change custom zones check in firewalld_sshd_port_enabled
|
Patch3: scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch
|
||||||
Patch3: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
|
|
||||||
# Accept required and requisite control flag for pam_pwhistory
|
|
||||||
Patch4: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
|
|
||||||
# remove rule logind_session_timeout and associated variable from profiles
|
|
||||||
Patch5: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
|
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
@ -132,6 +127,30 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2
|
||||||
|
- remove problematic rule from ANSSI High profile (RHBZ#2221695)
|
||||||
|
|
||||||
|
* Thu Aug 10 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
|
||||||
|
- Rebase to a new upstream release 0.1.69 (RHBZ#2221695)
|
||||||
|
- Fixed CCE link URL (RHBZ#2178516)
|
||||||
|
- align remediations with rule description for rule configuring OpenSSL cryptopolicy (RHBZ#2192893)
|
||||||
|
- Add rule audit_rules_login_events_faillock to STIG profile (RHBZ#2167999)
|
||||||
|
- Fixed rules related to AIDE configuration (RHBZ#2175684)
|
||||||
|
- Allow default permissions for files stored on EFI FAT partitions (RHBZ#2184487)
|
||||||
|
- Add appropriate STIGID to accounts_passwords_pam_faillock_interval rule (RHBZ#2209073)
|
||||||
|
- improved and unified OVAL checks checking for interactive users (RHBZ#2157877)
|
||||||
|
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155789)
|
||||||
|
- unify OVAL checks to correctly identify interactive users (RHBZ#2178740)
|
||||||
|
- make rule checking for Postfix unrestricted relay accept more variants of valid configuration syntax (RHBZ#2170530)
|
||||||
|
- Fixed excess quotes in journald configuration files (RHBZ#2169857)
|
||||||
|
- rules related to polyinstantiated directories are not applied when building images for Image Builder (RHBZ#2130182)
|
||||||
|
- evaluation and remediation of rules related to mount points have been enhanced for Image Builder (RHBZ#2130185)
|
||||||
|
- do not enable FIPS mode when creating hardened images for Image Builder (RHBZ#2130181)
|
||||||
|
- Correct URL used to download CVE checks (RHBZ#2222583)
|
||||||
|
- mention exact required configuration value in description of some PAM related rules (RHBZ#2175882)
|
||||||
|
- make mount point related rules not applicable when no such mount points exist (RHBZ#2176008)
|
||||||
|
- improve checks determining if FIPS mode is enabled (RHBZ#2129100)
|
||||||
|
|
||||||
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2
|
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2
|
||||||
- Unselect rule logind_session_timeout (RHBZ#2158404)
|
- Unselect rule logind_session_timeout (RHBZ#2158404)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user