import scap-security-guide-0.1.63-4.el8
This commit is contained in:
parent
f339ff864a
commit
958361e9a7
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.60.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.63.tar.bz2
|
||||
|
@ -1,2 +1,2 @@
|
||||
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
6768818c9bd6f9f35596f2fe23c50ffe52b974c3 SOURCES/scap-security-guide-0.1.60.tar.bz2
|
||||
b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2
|
||||
|
@ -1,24 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
index 9f036f83015..f94ddab2fe1 100644
|
||||
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
@@ -32,6 +32,7 @@ references:
|
||||
cis@ubuntu2004: 4.1.1.4
|
||||
disa: CCI-001849
|
||||
nist: CM-6(a)
|
||||
+ ospp: FAU_STG.1,FAU_STG.3
|
||||
srg: SRG-OS-000254-GPOS-00095,SRG-OS-000341-GPOS-00132
|
||||
stigid@ol8: OL08-00-030602
|
||||
stigid@rhel8: RHEL-08-030602
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
index 6d76e896ffc..7396b9167c6 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
@@ -25,6 +25,7 @@ identifiers:
|
||||
|
||||
references:
|
||||
cis@ubuntu2004: 4.1.1.4
|
||||
+ ospp: FAU_STG.1,FAU_STG.3
|
||||
|
||||
ocil_clause: 'audit backlog limit is not configured'
|
||||
|
@ -1,26 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
|
||||
index 5841f378fe6..f4780b4ae6d 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
|
||||
@@ -22,7 +22,7 @@ identifiers:
|
||||
references:
|
||||
disa: CCI-000366
|
||||
nist: CM-6
|
||||
- ospp: FAU_GEN.1.1.c
|
||||
+ ospp: FAU_GEN.1
|
||||
srg: SRG-OS-000062-GPOS-00031,SRG-OS-000480-GPOS-00227
|
||||
stigid@ol8: OL08-00-030061
|
||||
stigid@rhel8: RHEL-08-030061
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||||
index ba60b9b2c98..19dc3320e85 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||||
@@ -47,7 +47,7 @@ identifiers:
|
||||
|
||||
references:
|
||||
nist: AU-2(a)
|
||||
- ospp: FAU_GEN.1.1.c
|
||||
+ ospp: FAU_GEN.1
|
||||
srg: SRG-OS-000365-GPOS-00152,SRG-OS-000475-GPOS-00220
|
||||
|
||||
ocil_clause: 'the file does not exist or the content differs'
|
@ -1,13 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
|
||||
index 6c39a05550c..f169cba9f6b 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
|
||||
@@ -21,7 +21,7 @@ identifiers:
|
||||
|
||||
references:
|
||||
nist: CM-6
|
||||
- ospp: FAU_GEN.1.1.c
|
||||
+ ospp: FAU_STG.1
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
|
||||
ocil_clause: write_logs isn't set to yes
|
@ -1,26 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
|
||||
index 48ed2f31795..b536a68cf2a 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
|
||||
@@ -23,7 +23,7 @@ identifiers:
|
||||
references:
|
||||
disa: CCI-000366
|
||||
nist: CM-6,AU-3
|
||||
- ospp: FAU_GEN.1
|
||||
+ ospp: FAU_GEN.1.2
|
||||
srg: SRG-OS-000255-GPOS-00096,SRG-OS-000480-GPOS-00227
|
||||
stigid@ol8: OL08-00-030063
|
||||
stigid@rhel8: RHEL-08-030063
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
||||
index a31e975c1c9..8da90cd760f 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
||||
@@ -24,7 +24,7 @@ identifiers:
|
||||
references:
|
||||
disa: CCI-001851
|
||||
nist: CM-6,AU-3
|
||||
- ospp: FAU_GEN.1
|
||||
+ ospp: FAU_GEN.1.2
|
||||
srg: SRG-OS-000039-GPOS-00017,SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
|
||||
stigid@ol7: OL07-00-030211
|
||||
stigid@ol8: OL08-00-030062
|
@ -1,13 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
index ac43b654188..70357c153be 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
@@ -37,7 +37,7 @@ identifiers:
|
||||
references:
|
||||
disa: CCI-000162
|
||||
nist: AU-2(a)
|
||||
- ospp: FAU_GEN.1.1.c
|
||||
+ ospp: FAU_GEN.1.2
|
||||
srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
|
||||
stigid@ol8: OL08-00-030122
|
||||
stigid@rhel8: RHEL-08-030122
|
@ -1,12 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
|
||||
index 5af94a56910..7968d90331e 100644
|
||||
--- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
|
||||
@@ -31,6 +31,7 @@ references:
|
||||
iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
|
||||
nist: CM-6(a)
|
||||
nist-csf: PR.PT-1
|
||||
+ ospp: FTP_ITC_EXT.1.1
|
||||
srg: SRG-OS-000479-GPOS-00224,SRG-OS-000051-GPOS-00024,SRG-OS-000480-GPOS-00227
|
||||
stigid@ol8: OL08-00-030670
|
||||
stigid@rhel8: RHEL-08-030670
|
@ -1,13 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
|
||||
index d5d49bf7426..83c6d9339de 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
|
||||
@@ -29,7 +29,7 @@ references:
|
||||
anssi: BP28(R43)
|
||||
ism: 0988,1405
|
||||
nist: AU-9(3),CM-6(a)
|
||||
- ospp: FCS_TLSC_EXT.1,FTP_ITC_EXT.1.1
|
||||
+ ospp: FCS_TLSC_EXT.1,FTP_ITC_EXT.1.1,FIA_X509_EXT.1.1,FMT_SMF_EXT.1.1
|
||||
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000120-GPOS-00061
|
||||
|
||||
ocil_clause: 'omfwd is not configured with gtls and AuthMode'
|
@ -1,13 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
|
||||
index 635207b571f..818f24718a0 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
|
||||
@@ -27,7 +27,7 @@ identifiers:
|
||||
references:
|
||||
anssi: BP28(R43)
|
||||
ism: 0988,1405
|
||||
- ospp: FCS_TLSC_EXT.1,FTP_ITC_EXT.1.1
|
||||
+ ospp: FCS_TLSC_EXT.1
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
|
||||
ocil_clause: 'CA certificate for rsyslog remote logging via TLS is not set'
|
@ -1,24 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
|
||||
index 8b36f0c2fa3..795089c8b83 100644
|
||||
--- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
|
||||
@@ -27,6 +27,7 @@ references:
|
||||
nerc-cip: CIP-004-6 R3.3,CIP-007-3 R6.5
|
||||
nist: AC-7(a),AU-7(1),AU-7(2),AU-14,AU-12(2),AU-2(a),CM-6(a)
|
||||
nist@sle12: AU-7(a),AU-7(b),AU-8(b),AU-12.1(iv),AU-12(3),AU-12(c),CM-5(1)
|
||||
+ ospp: FAU_GEN.1
|
||||
srg: SRG-OS-000122-GPOS-00063,SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000480-GPOS-00227,SRG-OS-000062-GPOS-00031
|
||||
stigid@ol8: OL08-00-030180
|
||||
stigid@rhel8: RHEL-08-030180
|
||||
diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
|
||||
index 320b69c3179..99edca3e270 100644
|
||||
--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
|
||||
@@ -50,6 +50,7 @@ references:
|
||||
nist: AC-2(g),AU-3,AU-10,AU-2(d),AU-12(c),AU-14(1),AC-6(9),CM-6(a),SI-4(23)
|
||||
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
|
||||
nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a)
|
||||
+ ospp: FAU_GEN.1
|
||||
pcidss: Req-10.1
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000480-GPOS-00227,SRG-OS-000062-GPOS-00031
|
||||
stigid@ol7: OL07-00-030000
|
@ -1,165 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
|
||||
index 8a28af022a7..02c69bddd27 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_all
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = high
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
index a7182849548..db89a5e47a1 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
@@ -31,6 +31,8 @@ rationale: |-
|
||||
of initiating changes, including upgrades and modifications.
|
||||
|
||||
identifiers:
|
||||
+ cce@rhel8: CCE-88692-9
|
||||
+ cce@rhel9: CCE-88693-7
|
||||
cce@sle12: CCE-83234-5
|
||||
cce@sle15: CCE-85753-2
|
||||
|
||||
@@ -40,6 +42,8 @@ references:
|
||||
disa: CCI-001499
|
||||
nerc-cip: CIP-003-8 R6
|
||||
nist: CM-5,CM-5(6),CM-5(6).1
|
||||
+ srg: SRG-OS-000259-GPOS-00100
|
||||
+ stigid@rhel8: RHEL-08-010331
|
||||
stigid@sle12: SLES-12-010872
|
||||
stigid@sle15: SLES-15-010352
|
||||
stigid@ubuntu2004: UBTU-20-010427
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
index af078463b05..6e957c302ac 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \;
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
index d58616bcafb..55ff9cebd4f 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
chmod -R 755 "$dirPath"
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
index 98d18cde3ea..c2b5b6bf029 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
|
||||
DIRS="/lib /lib64"
|
||||
for dirPath in $DIRS; do
|
||||
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
index 6df6e2f8f9b..40e6c42c829 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
|
||||
DIRS="/usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
|
||||
index decba0087e8..920a55659fd 100644
|
||||
--- a/products/rhel8/profiles/cjis.profile
|
||||
+++ b/products/rhel8/profiles/cjis.profile
|
||||
@@ -77,6 +77,7 @@ selections:
|
||||
- accounts_password_pam_difok
|
||||
- accounts_max_concurrent_login_sessions
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- file_owner_etc_shadow
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 04f158116ee..5d98b1c894e 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -228,6 +228,9 @@ selections:
|
||||
# RHEL-08-010330
|
||||
- file_permissions_library_dirs
|
||||
|
||||
+ # RHEL-08-010331
|
||||
+ - dir_permissions_library_dirs
|
||||
+
|
||||
# RHEL-08-010340
|
||||
- file_ownership_library_dirs
|
||||
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index 8f79b22e3e4..2614504e9cd 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -229,6 +229,9 @@ selections:
|
||||
# RHEL-08-010330
|
||||
- file_permissions_library_dirs
|
||||
|
||||
+ # RHEL-08-010331
|
||||
+ - dir_permissions_library_dirs
|
||||
+
|
||||
# RHEL-08-010340
|
||||
- file_ownership_library_dirs
|
||||
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 3f6ec5e17c4..4a926bce5de 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -2645,8 +2645,6 @@ CCE-88688-7
|
||||
CCE-88689-5
|
||||
CCE-88690-3
|
||||
CCE-88691-1
|
||||
-CCE-88692-9
|
||||
-CCE-88693-7
|
||||
CCE-88694-5
|
||||
CCE-88695-2
|
||||
CCE-88696-0
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index ed739e724f4..4df5c4a2e21 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -25,6 +25,7 @@ extends: null
|
||||
metadata:
|
||||
version: V1R4
|
||||
SMEs:
|
||||
+ - mab879
|
||||
- ggbecker
|
||||
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
|
||||
selections:
|
||||
@@ -180,6 +181,7 @@ selections:
|
||||
- dconf_gnome_screensaver_idle_delay
|
||||
- dconf_gnome_screensaver_lock_enabled
|
||||
- dir_group_ownership_library_dirs
|
||||
+- dir_permissions_library_dirs
|
||||
- dir_perms_world_writable_root_owned
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
- directory_group_ownership_var_log_audit
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 56c3fcb9f59..98746158aed 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -36,6 +36,7 @@ extends: null
|
||||
metadata:
|
||||
version: V1R4
|
||||
SMEs:
|
||||
+ - mab879
|
||||
- ggbecker
|
||||
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
|
||||
selections:
|
||||
@@ -191,6 +192,7 @@ selections:
|
||||
- dconf_gnome_screensaver_idle_delay
|
||||
- dconf_gnome_screensaver_lock_enabled
|
||||
- dir_group_ownership_library_dirs
|
||||
+- dir_permissions_library_dirs
|
||||
- dir_perms_world_writable_root_owned
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
- directory_group_ownership_var_log_audit
|
@ -1,57 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
index 68b353965ec..ff106996f00 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
@@ -28,7 +28,7 @@ references:
|
||||
cis@ubuntu2004: 1.4.1
|
||||
cjis: 5.10.1.3
|
||||
cobit5: APO01.06,BAI01.06,BAI02.01,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS04.07,DSS05.02,DSS05.03,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
||||
- disa: CCI-002699,CCI-001744
|
||||
+ disa: CCI-002696,CCI-002699,CCI-001744
|
||||
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4
|
||||
isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 4.1,SR 6.2,SR 7.6'
|
||||
ism: 1034,1288,1341,1417
|
||||
@@ -36,9 +36,9 @@ references:
|
||||
nist: CM-6(a)
|
||||
nist-csf: DE.CM-1,DE.CM-7,PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1,PR.IP-3
|
||||
pcidss: Req-11.5
|
||||
- srg: SRG-OS-000363-GPOS-00150
|
||||
+ srg: SRG-OS-000363-GPOS-00150,SRG-OS-000445-GPOS-00199
|
||||
stigid@ol8: OL08-00-010360
|
||||
- stigid@rhel8: RHEL-08-010360
|
||||
+ stigid@rhel8: RHEL-08-010359
|
||||
stigid@sle12: SLES-12-010500
|
||||
stigid@sle15: SLES-15-010420
|
||||
stigid@ubuntu2004: UBTU-20-010450
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index ff23f83cfbf..cb72403e81a 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -239,8 +239,10 @@ selections:
|
||||
- root_permissions_syslibrary_files
|
||||
- dir_group_ownership_library_dirs
|
||||
|
||||
- # RHEL-08-010360
|
||||
+ # RHEL-08-010359
|
||||
- package_aide_installed
|
||||
+
|
||||
+ # RHEL-08-010360
|
||||
- aide_scan_notification
|
||||
|
||||
# RHEL-08-010370
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index 31015d4b83c..93ecc404dc2 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -240,8 +240,10 @@ selections:
|
||||
- root_permissions_syslibrary_files
|
||||
- dir_group_ownership_library_dirs
|
||||
|
||||
- # RHEL-08-010360
|
||||
+ # RHEL-08-010359
|
||||
- package_aide_installed
|
||||
+
|
||||
+ # RHEL-08-010360
|
||||
- aide_scan_notification
|
||||
|
||||
# RHEL-08-010370
|
@ -1,596 +0,0 @@
|
||||
From 19bd5adfd804590b15e42cc75287b792706286d5 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 10 Feb 2022 15:25:06 +0100
|
||||
Subject: [PATCH 1/9] Add rule to check for default sudoers includedir
|
||||
|
||||
This rule supports RHEL-08-010379.
|
||||
---
|
||||
.../ansible/shared.yml | 7 ++++
|
||||
.../sudoers_default_includedir/bash/shared.sh | 11 ++++++
|
||||
.../oval/shared.xml | 23 +++++++++++
|
||||
.../sudo/sudoers_default_includedir/rule.yml | 38 +++++++++++++++++++
|
||||
.../tests/default_includedir.pass.sh | 7 ++++
|
||||
.../tests/duplicate_includedir.fail.sh | 7 ++++
|
||||
.../tests/no_includedir.fail.sh | 4 ++
|
||||
.../tests/two_includedir.fail.sh | 8 ++++
|
||||
shared/references/cce-redhat-avail.txt | 3 --
|
||||
9 files changed, 105 insertions(+), 3 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..d9d5933285f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_all
|
||||
+# # reboot = false
|
||||
+# # strategy = configure
|
||||
+# # complexity = low
|
||||
+# # disruption = low
|
||||
+
|
||||
+{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..3a9e2da985b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sudoers_config_file="/etc/sudoers"
|
||||
+sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
|
||||
+if [ "$sudoers_includedir_count" -gt 1 ]; then
|
||||
+ sed -i "/#includedir.*/d" "$sudoers_config_file"
|
||||
+ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
|
||||
+fi
|
||||
+if [ "$sudoers_includedir_count" -eq 0 ]; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..5618c64291c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
@@ -0,0 +1,23 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
|
||||
+ comment="audit augenrules rmmod" id="test_sudoers_default_includedir" version="1">
|
||||
+ <ind:object object_ref="object_sudoers_default_includedir" />
|
||||
+ <ind:state state_ref="state_sudoers_default_includedir" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_sudoers_default_includedir" version="1">
|
||||
+ <ind:filepath>/etc/sudoers</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^#includedir[\s]+(.*)$</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+ <ind:textfilecontent54_state id="state_sudoers_default_includedir" version="1">
|
||||
+ <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..5c33121f911
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
@@ -0,0 +1,38 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,rhel7,rhel8,rhel9
|
||||
+
|
||||
+title: 'Ensure sudo only includes the default configuration directory'
|
||||
+
|
||||
+description: |-
|
||||
+ Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
|
||||
+ other directories and configuration files from the file currently being parsed.
|
||||
+
|
||||
+ Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
|
||||
+ The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
|
||||
+ <tt>/etc/sudoers.d</tt>
|
||||
+ Note that the '#' character doesn't denote a comment in the configuration file.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Some <tt>sudo</tt> configurtion options allow users to run programs without re-authenticating.
|
||||
+ Use of these configuration options makes it easier for one compromised accound to be used to
|
||||
+ compromise other accounts.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-86277-1
|
||||
+ cce@rhel8: CCE-86377-9
|
||||
+ cce@rhel9: CCE-86477-7
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000366
|
||||
+ stigid@rhel8: RHEL-08-010379
|
||||
+
|
||||
+ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
|
||||
+
|
||||
+ocil: |-
|
||||
+ To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
|
||||
+ run the following command:
|
||||
+ <pre>$ sudo grep 'include' /etc/sudoers</pre>
|
||||
+ If only the line <tt>#includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly.
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ac0c808ccd6
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# Ensure default config is there
|
||||
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..5bad8225625
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# duplicate default entry
|
||||
+if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..1e0ab8aea92
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -i "/#includedir.*/d" /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..09d14eab630
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# Ensure that there are two different indludedirs
|
||||
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 41caad9f0d0..f2990adb537 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -340,7 +340,6 @@ CCE-86273-0
|
||||
CCE-86274-8
|
||||
CCE-86275-5
|
||||
CCE-86276-3
|
||||
-CCE-86277-1
|
||||
CCE-86278-9
|
||||
CCE-86279-7
|
||||
CCE-86281-3
|
||||
@@ -428,7 +427,6 @@ CCE-86373-8
|
||||
CCE-86374-6
|
||||
CCE-86375-3
|
||||
CCE-86376-1
|
||||
-CCE-86377-9
|
||||
CCE-86378-7
|
||||
CCE-86379-5
|
||||
CCE-86380-3
|
||||
@@ -524,7 +522,6 @@ CCE-86473-6
|
||||
CCE-86474-4
|
||||
CCE-86475-1
|
||||
CCE-86476-9
|
||||
-CCE-86477-7
|
||||
CCE-86478-5
|
||||
CCE-86479-3
|
||||
CCE-86480-1
|
||||
|
||||
From 99fe46922243e8dff5822e2ed6eb49addd000baa Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 10 Feb 2022 16:21:46 +0100
|
||||
Subject: [PATCH 2/9] Select rule in RHEL8 STIG
|
||||
|
||||
Select sudoers_default_indludedir aligning to RHEL8 STIG V1R5
|
||||
---
|
||||
products/rhel8/profiles/stig.profile | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index d92bc72971c..e13bda7a787 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -271,6 +271,9 @@ selections:
|
||||
# RHEL-08-010376
|
||||
- sysctl_kernel_perf_event_paranoid
|
||||
|
||||
+ # RHEL-08-010379
|
||||
+ - sudoers_default_includedir
|
||||
+
|
||||
# RHEL-08-010380
|
||||
- sudo_remove_nopasswd
|
||||
|
||||
|
||||
From 3686fe72a6e27049f1c46d0a4efa07e1b42b6a20 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 10 Feb 2022 17:26:59 +0100
|
||||
Subject: [PATCH 3/9] Add test and fix for case when the single includedir is
|
||||
wrong
|
||||
|
||||
---
|
||||
.../sudo/sudoers_default_includedir/bash/shared.sh | 7 +++++--
|
||||
.../tests/wrong_includedir.fail.sh | 5 +++++
|
||||
2 files changed, 10 insertions(+), 2 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
index 3a9e2da985b..258af02c121 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
@@ -5,7 +5,10 @@ sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
|
||||
if [ "$sudoers_includedir_count" -gt 1 ]; then
|
||||
sed -i "/#includedir.*/d" "$sudoers_config_file"
|
||||
echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
|
||||
-fi
|
||||
-if [ "$sudoers_includedir_count" -eq 0 ]; then
|
||||
+elif [ "$sudoers_includedir_count" -eq 0 ]; then
|
||||
echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
|
||||
+else
|
||||
+ if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers
|
||||
+ fi
|
||||
fi
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..55a072adf3c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -i "/#includedir.*/d" /etc/sudoers
|
||||
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
|
||||
|
||||
From 0b20b495ed82cead1a033170b900c13da5260603 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 14:50:11 +0100
|
||||
Subject: [PATCH 4/9] Add tests for sudo file and dir includes in
|
||||
/etc/sudoers.d
|
||||
|
||||
---
|
||||
.../tests/sudoers.d_with_include.fail.sh | 9 +++++++++
|
||||
.../tests/sudoers.d_with_includedir.fail.sh | 9 +++++++++
|
||||
.../tests/sudoers_with_include.fail.sh | 11 +++++++++++
|
||||
3 files changed, 29 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..554ef2e060d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# Ensure default config is there
|
||||
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
+
|
||||
+echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..516b68b5a3e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# Ensure default config is there
|
||||
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
+
|
||||
+echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ad04880e334
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# Ensure default config is there
|
||||
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
+
|
||||
+if ! grep -q "#include " /etc/sudoers; then
|
||||
+ echo "#include /etc/my-sudoers" >> /etc/sudoers
|
||||
+fi
|
||||
|
||||
From d91e3eefe6c265c27634cb15b0f276a298f81645 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 14:59:18 +0100
|
||||
Subject: [PATCH 5/9] Update rule catch and remove other sudo includes
|
||||
|
||||
Any other #include or #includedir besides:
|
||||
"/etc/sudoers: #includedir /etc/sudoers.d" should be removed.
|
||||
---
|
||||
.../ansible/shared.yml | 14 +++++++++++
|
||||
.../sudoers_default_includedir/bash/shared.sh | 7 ++++--
|
||||
.../oval/shared.xml | 23 +++++++++++++++++++
|
||||
.../sudo/sudoers_default_includedir/rule.yml | 7 +++---
|
||||
4 files changed, 46 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
|
||||
index d9d5933285f..175a447e0d9 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
|
||||
@@ -5,3 +5,17 @@
|
||||
# # disruption = low
|
||||
|
||||
{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
|
||||
+{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
|
||||
+- name: "Find out if /etc/sudoers.d/* files contain file or directory includes"
|
||||
+ find:
|
||||
+ path: "/etc/sudoers.d"
|
||||
+ patterns: "*"
|
||||
+ contains: '^#include(dir)?\s.*$'
|
||||
+ register: sudoers_d_includes
|
||||
+
|
||||
+- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files"
|
||||
+ lineinfile:
|
||||
+ path: "{{ item.path }}"
|
||||
+ regexp: '^#include(dir)?\s.*$'
|
||||
+ state: absent
|
||||
+ with_items: "{{ sudoers_d_includes.files }}"
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
index 258af02c121..2d00b471677 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
@@ -1,6 +1,7 @@
|
||||
# platform = multi_platform_all
|
||||
|
||||
sudoers_config_file="/etc/sudoers"
|
||||
+sudoers_config_dir="/etc/sudoers.d"
|
||||
sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
|
||||
if [ "$sudoers_includedir_count" -gt 1 ]; then
|
||||
sed -i "/#includedir.*/d" "$sudoers_config_file"
|
||||
@@ -8,7 +9,9 @@ if [ "$sudoers_includedir_count" -gt 1 ]; then
|
||||
elif [ "$sudoers_includedir_count" -eq 0 ]; then
|
||||
echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
|
||||
else
|
||||
- if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
- sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers
|
||||
+ if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
|
||||
+ sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
|
||||
fi
|
||||
fi
|
||||
+sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/*
|
||||
+sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/*
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
index 5618c64291c..59cab0b89de 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
@@ -3,6 +3,8 @@
|
||||
{{{ oval_metadata("Check if sudo includes only the default includedir") }}}
|
||||
<criteria operator="AND">
|
||||
<criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
+ <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||
+ <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
@@ -20,4 +22,25 @@
|
||||
<ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
|
||||
</ind:textfilecontent54_state>
|
||||
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="audit augenrules rmmod" id="test_sudoers_without_include" version="1">
|
||||
+ <ind:object object_ref="object_sudoers_without_include" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_sudoers_without_include" version="1">
|
||||
+ <ind:filepath>/etc/sudoers</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^#include[\s]+.*$</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
|
||||
+ <ind:object object_ref="object_sudoersd_without_includes" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_sudoersd_without_includes" version="1">
|
||||
+ <ind:path>/etc/sudoers.d/</ind:path>
|
||||
+ <ind:filename operation="pattern match">.*</ind:filename>
|
||||
+ <ind:pattern operation="pattern match">^#include(dir)?[\s]+.*$</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
index 5c33121f911..3a8c22ac8af 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
@@ -10,7 +10,7 @@ description: |-
|
||||
|
||||
Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
|
||||
The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
|
||||
- <tt>/etc/sudoers.d</tt>
|
||||
+ <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
|
||||
Note that the '#' character doesn't denote a comment in the configuration file.
|
||||
|
||||
rationale: |-
|
||||
@@ -34,5 +34,6 @@ ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other
|
||||
ocil: |-
|
||||
To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
|
||||
run the following command:
|
||||
- <pre>$ sudo grep 'include' /etc/sudoers</pre>
|
||||
- If only the line <tt>#includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly.
|
||||
+ <pre>$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d</pre>
|
||||
+ If only the line <tt>/etc/sudoers:#includedir /etc/sudoers.d</tt> is returned, then the drop-in include configuration is set correctly.
|
||||
+ Any other line returned is a finding.
|
||||
|
||||
From ead72b744f1fc03893184079c079df27780044c2 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 15:00:46 +0100
|
||||
Subject: [PATCH 6/9] Add SRG to sudoers_default_includedir
|
||||
|
||||
---
|
||||
.../system/software/sudo/sudoers_default_includedir/rule.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
index 3a8c22ac8af..a97bd3efb2c 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
@@ -27,6 +27,7 @@ identifiers:
|
||||
|
||||
references:
|
||||
disa: CCI-000366
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel8: RHEL-08-010379
|
||||
|
||||
ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
|
||||
|
||||
From c1a08fe6b8e6388b89b190ca74e57af06e7c999c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 16:12:32 +0100
|
||||
Subject: [PATCH 7/9] Update RHEL8 STIG profile stability data
|
||||
|
||||
---
|
||||
tests/data/profile_stability/rhel8/stig.profile | 1 +
|
||||
tests/data/profile_stability/rhel8/stig_gui.profile | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index e4fee44f9f9..974b28757e9 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -365,6 +365,7 @@ selections:
|
||||
- sudo_remove_nopasswd
|
||||
- sudo_require_reauthentication
|
||||
- sudo_restrict_privilege_elevation_to_authorized
|
||||
+- sudoers_default_includedir
|
||||
- sudoers_validate_passwd
|
||||
- sysctl_crypto_fips_enabled
|
||||
- sysctl_fs_protected_hardlinks
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 83d04775e3a..99e0af4f5a6 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -376,6 +376,7 @@ selections:
|
||||
- sudo_remove_nopasswd
|
||||
- sudo_require_reauthentication
|
||||
- sudo_restrict_privilege_elevation_to_authorized
|
||||
+- sudoers_default_includedir
|
||||
- sudoers_validate_passwd
|
||||
- sysctl_crypto_fips_enabled
|
||||
- sysctl_fs_protected_hardlinks
|
||||
|
||||
From adae3ecbda4362e23cd1f30e053db37d6a1d403b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 16:59:22 +0100
|
||||
Subject: [PATCH 8/9] Fix Ansible remediation metadata
|
||||
|
||||
---
|
||||
.../sudo/sudoers_default_includedir/ansible/shared.yml | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
|
||||
index 175a447e0d9..0d8c9e75184 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
|
||||
@@ -1,8 +1,8 @@
|
||||
# platform = multi_platform_all
|
||||
-# # reboot = false
|
||||
-# # strategy = configure
|
||||
-# # complexity = low
|
||||
-# # disruption = low
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
|
||||
{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
|
||||
{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
|
||||
|
||||
From d3f048456908b316c0dcc0bff2328cf87fe6e7de Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 17:39:39 +0100
|
||||
Subject: [PATCH 9/9] Handle case when /etc/sudoers.d doesn't exist
|
||||
|
||||
The remediation skips the directory, and the test scenarios create the
|
||||
dir to ensure the test scenario works.
|
||||
---
|
||||
.../sudo/sudoers_default_includedir/bash/shared.sh | 8 ++++++--
|
||||
.../tests/sudoers.d_with_include.fail.sh | 1 +
|
||||
.../tests/sudoers.d_with_includedir.fail.sh | 1 +
|
||||
3 files changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
index 2d00b471677..fbff5eb6f30 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
@@ -13,5 +13,9 @@ else
|
||||
sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
|
||||
fi
|
||||
fi
|
||||
-sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/*
|
||||
-sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/*
|
||||
+
|
||||
+sed -i "/^#include\s\+.*/d" "$sudoers_config_file"
|
||||
+
|
||||
+if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then
|
||||
+ sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/*
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
|
||||
index 554ef2e060d..3f14ecc1627 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
|
||||
@@ -1,6 +1,7 @@
|
||||
#!/bin/bash
|
||||
# platform = multi_platform_all
|
||||
|
||||
+mkdir -p /etc/sudoers.d
|
||||
# Ensure default config is there
|
||||
if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
|
||||
index 516b68b5a3e..89515076ff1 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
|
||||
@@ -1,6 +1,7 @@
|
||||
#!/bin/bash
|
||||
# platform = multi_platform_all
|
||||
|
||||
+mkdir -p /etc/sudoers.d
|
||||
# Ensure default config is there
|
||||
if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
@ -1,13 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
index 5353f60975c..69a36c4959a 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
@@ -43,7 +43,7 @@ references:
|
||||
stigid@ol7: OL07-00-010270
|
||||
stigid@ol8: OL08-00-020220
|
||||
stigid@rhel7: RHEL-07-010270
|
||||
- stigid@rhel8: RHEL-08-020220
|
||||
+ stigid@rhel8: RHEL-08-020221
|
||||
vmmsrg: SRG-OS-000077-VMM-000440
|
||||
|
||||
ocil_clause: |-
|
@ -1,49 +0,0 @@
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
||||
index de0e359a44e..df56a30be80 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
||||
@@ -39,6 +39,7 @@ references:
|
||||
nist: CM-7(a),CM-7(b),CM-6(a)
|
||||
nist-csf: PR.AC-3,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
+ stigid@rhel8: RHEL-08-040321
|
||||
|
||||
ocil_clause: 'the X windows display server is running and/or has not been disabled'
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 09fa85df181..ffca983d0bd 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -1169,6 +1169,9 @@ selections:
|
||||
# RHEL-08-040320
|
||||
- xwindows_remove_packages
|
||||
|
||||
+ # RHEL-08-040321
|
||||
+ - xwindows_runlevel_target
|
||||
+
|
||||
# RHEL-08-040330
|
||||
- network_sniffer_disabled
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile
|
||||
index d1577215b07..d29ceb9c54e 100644
|
||||
--- a/products/rhel8/profiles/stig_gui.profile
|
||||
+++ b/products/rhel8/profiles/stig_gui.profile
|
||||
@@ -35,3 +35,6 @@ extends: stig
|
||||
selections:
|
||||
# RHEL-08-040320
|
||||
- '!xwindows_remove_packages'
|
||||
+
|
||||
+ # RHEL-08-040321
|
||||
+ - '!xwindows_runlevel_target'
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 9c05c27117c..e4fee44f9f9 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -398,6 +398,7 @@ selections:
|
||||
- usbguard_generate_policy
|
||||
- wireless_disable_interfaces
|
||||
- xwindows_remove_packages
|
||||
+- xwindows_runlevel_target
|
||||
- var_rekey_limit_size=1G
|
||||
- var_rekey_limit_time=1hour
|
||||
- var_accounts_user_umask=077
|
@ -1,38 +0,0 @@
|
||||
From 8605b236665b1022c7379e87d9445c9ca42e78f3 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 11:41:15 +0100
|
||||
Subject: [PATCH] Add SRG references to STIG rules.
|
||||
|
||||
Rules accounts_password_pam_pwquality_password_auth and accounts_password_pam_pwquality_system_auth
|
||||
were missing SRG required references.
|
||||
---
|
||||
.../accounts_password_pam_pwquality_password_auth/rule.yml | 2 ++
|
||||
.../accounts_password_pam_pwquality_system_auth/rule.yml | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
|
||||
index 6c7bb1ad7a0..34dd6e2fcca 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
|
||||
@@ -22,6 +22,8 @@ identifiers:
|
||||
cce@rhel9: CCE-85878-7
|
||||
|
||||
references:
|
||||
+ disa: CCI-000366
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel8: RHEL-08-020100
|
||||
|
||||
ocil_clause: 'pam_pwquality.so is not enabled in password-auth'
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
|
||||
index ea42ff9b07a..a5189c61608 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
|
||||
@@ -22,6 +22,8 @@ identifiers:
|
||||
cce@rhel9: CCE-85873-8
|
||||
|
||||
references:
|
||||
+ disa: CCI-000366
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel8: RHEL-08-020101
|
||||
|
||||
ocil_clause: 'pam_pwquality.so is not enabled in system-auth'
|
@ -1,369 +0,0 @@
|
||||
From bbafe0a7b4b9eb50bc622d9f9f3c0074fca932f9 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 9 Feb 2022 16:17:52 +0100
|
||||
Subject: [PATCH 1/2] Pass the rule when no time server nor pool is set
|
||||
|
||||
If no time server or pool is configured, there is no entry to add
|
||||
maxpoll option to, so the rule should evaluate to pass.
|
||||
---
|
||||
.../oval/shared.xml | 50 +++++++++++++++----
|
||||
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 2 +
|
||||
.../tests/chrony_no_pool_nor_servers.pass.sh | 12 +++++
|
||||
3 files changed, 54 insertions(+), 10 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
||||
index 780c2e2d0ba..76f810123f3 100644
|
||||
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
||||
@@ -3,17 +3,25 @@
|
||||
{{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
|
||||
to continuously poll the time source servers.") }}}
|
||||
<criteria operator="OR">
|
||||
- <criteria operator="AND">
|
||||
- <criterion comment="check if maxpoll is set in /etc/ntp.conf"
|
||||
- test_ref="test_ntp_set_maxpoll" />
|
||||
- <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
|
||||
- test_ref="test_ntp_all_server_has_maxpoll"/>
|
||||
+ <criteria operator="OR">
|
||||
+ <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
|
||||
+ test_ref="test_ntp_no_server"/>
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="check if maxpoll is set in /etc/ntp.conf"
|
||||
+ test_ref="test_ntp_set_maxpoll" />
|
||||
+ <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
|
||||
+ test_ref="test_ntp_all_server_has_maxpoll"/>
|
||||
+ </criteria>
|
||||
</criteria>
|
||||
- <criteria operator="AND">
|
||||
- <criterion comment="check if maxpoll is set in /etc/chrony.conf"
|
||||
- test_ref="test_chrony_set_maxpoll" />
|
||||
- <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
|
||||
- test_ref="test_chrony_all_server_has_maxpoll"/>
|
||||
+ <criteria operator="OR">
|
||||
+ <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
|
||||
+ test_ref="test_chrony_no_server_nor_pool"/>
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="check if maxpoll is set in /etc/chrony.conf"
|
||||
+ test_ref="test_chrony_set_maxpoll" />
|
||||
+ <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
|
||||
+ test_ref="test_chrony_all_server_has_maxpoll"/>
|
||||
+ </criteria>
|
||||
</criteria>
|
||||
</criteria>
|
||||
</definition>
|
||||
@@ -77,4 +85,26 @@
|
||||
<ind:subexpression operation="pattern match" datatype="string">maxpoll \d+</ind:subexpression>
|
||||
</ind:textfilecontent54_state>
|
||||
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="check if no server entries have server or pool set in /etc/chrony.conf"
|
||||
+ id="test_chrony_no_server_nor_pool" version="1">
|
||||
+ <ind:object object_ref="obj_chrony_no_server_nor_pool" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="obj_chrony_no_server_nor_pool" version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^(?:server|pool).*</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
+ comment="check if all server entries have maxpoll set in /etc/ntp.conf"
|
||||
+ id="test_ntp_no_server" version="1">
|
||||
+ <ind:object object_ref="obj_ntp_no_server_nor_pool" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="obj_ntp_no_server_nor_pool" version="1">
|
||||
+ <ind:filepath>/etc/ntp.conf</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^server.*</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
||||
index 20e7467a7b5..c115ad3c115 100644
|
||||
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
||||
@@ -13,6 +13,8 @@ description: |-
|
||||
<pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
|
||||
to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
|
||||
should be configured too.
|
||||
+ If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
|
||||
+ to pass.
|
||||
{{% if product == "rhcos4" %}}
|
||||
<p>
|
||||
Note that if the remediation shipping with this content is being used, the
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..bbae20fc696
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+#
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+
|
||||
+yum remove -y ntp
|
||||
+
|
||||
+# Remove all pool and server options
|
||||
+sed -i "/^pool.*/d" /etc/chrony.conf
|
||||
+sed -i "/^server.*/d" /etc/chrony.conf
|
||||
+
|
||||
+systemctl enable chronyd.service
|
||||
|
||||
From 60ef6eb2cce9e53ea256738ff2583b332155a318 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 11 Feb 2022 12:14:30 +0100
|
||||
Subject: [PATCH 2/2] Add rule ensuring Chrony only uses server directive
|
||||
|
||||
This new rule only asserts that Chrony has at least one time source configured,
|
||||
and that it is done with the 'server' directive.
|
||||
No remediation is provided for rule, that is left for other specialized
|
||||
rules.
|
||||
---
|
||||
.../chronyd_server_directive/oval/shared.xml | 33 +++++++++++++++++++
|
||||
.../ntp/chronyd_server_directive/rule.yml | 32 ++++++++++++++++++
|
||||
.../tests/file_empty.fail.sh | 6 ++++
|
||||
.../tests/file_missing.fail.sh | 6 ++++
|
||||
.../tests/line_missing.fail.sh | 7 ++++
|
||||
.../tests/multiple_servers.pass.sh | 8 +++++
|
||||
.../tests/only_pool.fail.sh | 9 +++++
|
||||
.../tests/only_server.pass.sh | 6 ++++
|
||||
products/rhel8/profiles/stig.profile | 1 +
|
||||
products/rhel9/profiles/stig.profile | 1 +
|
||||
shared/references/cce-redhat-avail.txt | 2 --
|
||||
.../data/profile_stability/rhel8/stig.profile | 1 +
|
||||
.../profile_stability/rhel8/stig_gui.profile | 1 +
|
||||
13 files changed, 111 insertions(+), 2 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..2244e608047
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
|
||||
@@ -0,0 +1,33 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("Ensure Chrony has time sources configured with server directive") }}}
|
||||
+ <criteria comment="chrony.conf only has server directive">
|
||||
+ <criterion test_ref="test_chronyd_server_directive_with_server" />
|
||||
+ <criterion test_ref="test_chronyd_server_directive_no_pool" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
|
||||
+ comment="Ensure at least one time source is set with server directive" id="test_chronyd_server_directive_with_server"
|
||||
+ version="1">
|
||||
+ <ind:object object_ref="object_chronyd_server_directive" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object comment="Matches server entries in Chrony conf files"
|
||||
+ id="object_chronyd_server_directive" version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*server.*$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="Ensure no time source is set with pool directive" id="test_chronyd_server_directive_no_pool"
|
||||
+ version="1">
|
||||
+ <ind:object object_ref="object_chronyd_no_pool_directive" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object comment="Matches pool entires in Chrony conf files"
|
||||
+ id="object_chronyd_no_pool_directive" version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]+pool.*$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..6dc24f1be85
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
|
||||
@@ -0,0 +1,32 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Ensure Chrony is only configured with the server directive'
|
||||
+
|
||||
+description: |-
|
||||
+ Check that Chrony only has time sources configured with the <tt>server</tt> directive.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Depending on the infrastruture being used the <tt>pool</tt> directive may not be supported.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+platform: chrony
|
||||
+
|
||||
+warnings:
|
||||
+ - general: This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: CCE-86077-5
|
||||
+ cce@rhel9: CCE-87077-4
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001891
|
||||
+ srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
|
||||
+ stigid@rhel8: RHEL-08-030740
|
||||
+
|
||||
+ocil_clause: 'a remote time server is not configured or configured with pool directive'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Run the following command and verify that time sources are only configure with <tt>server</tt> directive:
|
||||
+ <pre># grep -E "^(server|pool)" /etc/chrony.conf</pre>
|
||||
+ A line with the appropriate server should be returned, any line returned starting with <tt>pool</tt> is a finding.
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..d1ba0755198
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+# remediation = none
|
||||
+
|
||||
+echo "" > /etc/chrony.conf
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..12a50ebc3d2
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+# remediation = none
|
||||
+
|
||||
+rm -f /etc/chrony.conf
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..bffa8b62b1b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+# remediation = none
|
||||
+
|
||||
+echo "some line" > /etc/chrony.conf
|
||||
+echo "another line" >> /etc/chrony.conf
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..5527f389316
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+# remediation = none
|
||||
+
|
||||
+sed -i "^pool.*" /etc/chrony.conf
|
||||
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
|
||||
+echo "server 1.pool.ntp.org" >> /etc/chrony.conf
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..616fe8844fc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+# remediation = none
|
||||
+
|
||||
+sed -i "^server.*" /etc/chrony.conf
|
||||
+if ! grep "^pool.*" /etc/chrony.conf; then
|
||||
+ echo "pool 0.pool.ntp.org" > /etc/chrony.conf
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..21a70dc4900
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+
|
||||
+sed -i "^pool.*" /etc/chrony.conf
|
||||
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 36f606ee461..2bd1fb54316 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -909,6 +909,7 @@ selections:
|
||||
# RHEL-08-030740
|
||||
# remediation fails because default configuration file contains pool instead of server keyword
|
||||
- chronyd_or_ntpd_set_maxpoll
|
||||
+ - chronyd_server_directive
|
||||
|
||||
# RHEL-08-030741
|
||||
- chronyd_client_only
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index 374932cfd32..0d4d7b0ff97 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -909,6 +909,7 @@ selections:
|
||||
# RHEL-08-030740
|
||||
# remediation fails because default configuration file contains pool instead of server keyword
|
||||
- chronyd_or_ntpd_set_maxpoll
|
||||
+ - chronyd_server_directive
|
||||
|
||||
# RHEL-08-030741
|
||||
- chronyd_client_only
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 8c59c5d3201..0081fe1938f 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -152,7 +152,6 @@ CCE-86073-4
|
||||
CCE-86074-2
|
||||
CCE-86075-9
|
||||
CCE-86076-7
|
||||
-CCE-86077-5
|
||||
CCE-86078-3
|
||||
CCE-86079-1
|
||||
CCE-86080-9
|
||||
@@ -1079,7 +1078,6 @@ CCE-87073-3
|
||||
CCE-87074-1
|
||||
CCE-87075-8
|
||||
CCE-87076-6
|
||||
-CCE-87077-4
|
||||
CCE-87078-2
|
||||
CCE-87079-0
|
||||
CCE-87080-8
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 5b06103d72e..7d44f8910d1 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -160,6 +160,7 @@ selections:
|
||||
- chronyd_client_only
|
||||
- chronyd_no_chronyc_network
|
||||
- chronyd_or_ntpd_set_maxpoll
|
||||
+- chronyd_server_directive
|
||||
- clean_components_post_updating
|
||||
- configure_bashrc_exec_tmux
|
||||
- configure_bind_crypto_policy
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 11e0ee9515a..91546d1d418 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -171,6 +171,7 @@ selections:
|
||||
- chronyd_client_only
|
||||
- chronyd_no_chronyc_network
|
||||
- chronyd_or_ntpd_set_maxpoll
|
||||
+- chronyd_server_directive
|
||||
- clean_components_post_updating
|
||||
- configure_bashrc_exec_tmux
|
||||
- configure_bind_crypto_policy
|
@ -1,50 +0,0 @@
|
||||
From cd544b1ceec3cfc799faf24fc83e99f950d1c9c9 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Wed, 23 Feb 2022 12:21:17 -0600
|
||||
Subject: [PATCH] Ensure that get_implemented_stigs in
|
||||
utils/create_scap_delta_tailoring.py works for all case
|
||||
|
||||
Before this commit using resolved_rules_dir would deselect all rules
|
||||
---
|
||||
utils/create_scap_delta_tailoring.py | 22 ++++++++++------------
|
||||
1 file changed, 10 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/utils/create_scap_delta_tailoring.py b/utils/create_scap_delta_tailoring.py
|
||||
index 90e131cd01a..b1a44858a0f 100755
|
||||
--- a/utils/create_scap_delta_tailoring.py
|
||||
+++ b/utils/create_scap_delta_tailoring.py
|
||||
@@ -103,24 +103,22 @@ def get_implemented_stigs(product, root_path, build_config_yaml_path,
|
||||
build_root):
|
||||
platform_rules = get_platform_rules(product, json_path, resolved_rules_dir, build_root)
|
||||
|
||||
- if resolved_rules_dir:
|
||||
- platform_rules_dict = dict()
|
||||
- for rule in platform_rules:
|
||||
- platform_rules_dict[rule['id']] = rule
|
||||
- return platform_rules_dict
|
||||
product_dir = os.path.join(root_path, "products", product)
|
||||
product_yaml_path = os.path.join(product_dir, "product.yml")
|
||||
env_yaml = ssg.environment.open_environment(build_config_yaml_path, str(product_yaml_path))
|
||||
|
||||
known_rules = dict()
|
||||
for rule in platform_rules:
|
||||
- try:
|
||||
- rule_obj = handle_rule_yaml(product, rule['id'],
|
||||
- rule['dir'], rule['guide'], env_yaml)
|
||||
- except ssg.yaml.DocumentationNotComplete:
|
||||
- sys.stderr.write('Rule %s throw DocumentationNotComplete' % rule['id'])
|
||||
- # Happens on non-debug build when a rule is "documentation-incomplete"
|
||||
- continue
|
||||
+ if resolved_rules_dir:
|
||||
+ rule_obj = rule
|
||||
+ else:
|
||||
+ try:
|
||||
+ rule_obj = handle_rule_yaml(product, rule['id'],
|
||||
+ rule['dir'], rule['guide'], env_yaml)
|
||||
+ except ssg.yaml.DocumentationNotComplete:
|
||||
+ sys.stderr.write('Rule %s throw DocumentationNotComplete' % rule['id'])
|
||||
+ # Happens on non-debug build when a rule is "documentation-incomplete"
|
||||
+ continue
|
||||
|
||||
if reference_str in rule_obj['references'].keys():
|
||||
ref = rule_obj['references'][reference_str]
|
@ -1,26 +0,0 @@
|
||||
From 9c57a8718f82458fe3784263fdb1e51bd08fff83 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 16 Feb 2022 12:46:21 +0100
|
||||
Subject: [PATCH] Do not remove krb5-workstation package on oVirt
|
||||
|
||||
---
|
||||
.../system-tools/package_krb5-workstation_removed/rule.yml | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||
index 4d8951a9148..813474842ec 100644
|
||||
--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||
@@ -27,6 +27,12 @@ references:
|
||||
stigid@ol8: OL08-00-010162
|
||||
stigid@rhel8: RHEL-08-010162
|
||||
|
||||
+platforms:
|
||||
+{{{ rule_notapplicable_when_ovirt_installed() | indent(4)}}}
|
||||
+
|
||||
+warnings:
|
||||
+{{{ ovirt_rule_notapplicable_warning("RHV hosts require ipa-client package, which has dependency on krb5-workstation") | indent(4) }}}
|
||||
+
|
||||
{{{ complete_ocil_entry_package(package="krb5-workstation") }}}
|
||||
|
||||
template:
|
@ -1,536 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..de85c892704
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
|
||||
@@ -0,0 +1,38 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Audit Configuration Files Must Be Owned By Group root'
|
||||
+
|
||||
+description: |-
|
||||
+ All audit configuration files must be owned by group root.
|
||||
+ <pre>chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*</pre>
|
||||
+
|
||||
+rationale: |-
|
||||
+ Without the capability to restrict which roles and individuals can
|
||||
+ select which events are audited, unauthorized personnel may be able
|
||||
+ to prevent the auditing of critical events.
|
||||
+ Misconfigured audits may degrade the system's performance by
|
||||
+ overwhelming the audit log. Misconfigured audits may also make it more
|
||||
+ difficult to establish, correlate, and investigate the events relating
|
||||
+ to an incident or identify those responsible for one.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000171
|
||||
+ srg: SRG-OS-000063-GPOS-00032
|
||||
+ stigid@ubuntu2004: UBTU-20-010135
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ describe_file_group_owner(file="/etc/audit/", group="root") }}}
|
||||
+ {{{ describe_file_group_owner(file="/etc/audit/rules.d/", group="root") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /etc/audit/
|
||||
+ - /etc/audit/rules.d/
|
||||
+ file_regex:
|
||||
+ - ^audit(\.rules|d\.conf)$
|
||||
+ - ^.*\.rules$
|
||||
+ filegid: '0'
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..5235e0d05a3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+export TESTFILE=/etc/audit/rules.d/test_rule.rules
|
||||
+export AUDITFILE=/etc/audit/auditd.conf
|
||||
+mkdir -p /etc/audit/rules.d/
|
||||
+touch $TESTFILE
|
||||
+touch $AUDITFILE
|
||||
+chgrp root $TESTFILE
|
||||
+chgrp root $AUDITFILE
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..52378d810a5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+groupadd group_test
|
||||
+export TESTFILLE=/etc/audit/rules.d/test_rule.rules
|
||||
+export AUDITFILE=/etc/audit/auditd.conf
|
||||
+mkdir -p /etc/audit/rules.d/
|
||||
+touch $TESTFILLE
|
||||
+touch $AUDITFILE
|
||||
+chgrp group_test $TESTFILLE
|
||||
+chgrp group_test $AUDITFILE
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
||||
index 5e2cabafc34..927d08d03d4 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
||||
@@ -1,8 +1,15 @@
|
||||
+{{% if 'ubuntu' in product %}}
|
||||
+{{% set gid = 'syslog' %}}
|
||||
+{{% else %}}
|
||||
+{{% set gid = 'root' %}}
|
||||
+{{% endif %}}
|
||||
+
|
||||
+
|
||||
documentation_complete: true
|
||||
|
||||
title: 'Verify Group Who Owns /var/log Directory'
|
||||
|
||||
-description: '{{{ describe_file_group_owner(file="/var/log", group="root") }}}'
|
||||
+description: '{{{ describe_file_group_owner(file="/var/log", group=gid) }}}'
|
||||
|
||||
rationale: |-
|
||||
The <tt>/var/log</tt> directory contains files with logs of error
|
||||
@@ -22,13 +29,16 @@ references:
|
||||
stigid@rhel8: RHEL-08-010260
|
||||
stigid@ubuntu2004: UBTU-20-010417
|
||||
|
||||
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group="root") }}}'
|
||||
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group=gid) }}}'
|
||||
|
||||
ocil: |-
|
||||
- {{{ ocil_file_group_owner(file="/var/log", group="root") }}}
|
||||
+ {{{ ocil_file_group_owner(file="/var/log", group=gid) }}}
|
||||
|
||||
template:
|
||||
name: file_groupowner
|
||||
vars:
|
||||
filepath: /var/log/
|
||||
filegid: '0'
|
||||
+ filegid@ubuntu1604: '110'
|
||||
+ filegid@ubuntu1804: '110'
|
||||
+ filegid@ubuntu2004: '110'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..f654279fe54
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
|
||||
@@ -0,0 +1,27 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Verify Group Who Owns /var/log/syslog File'
|
||||
+
|
||||
+description: '{{{ describe_file_group_owner(file="/var/log/syslog", group="adm") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
|
||||
+ the system and should only be accessed by authorized personnel.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001314
|
||||
+ srg: SRG-OS-000206-GPOS-00084
|
||||
+ stigid@ubuntu2004: UBTU-20-010420
|
||||
+
|
||||
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/syslog", group="adm") }}}'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_file_group_owner(file="/var/log/syslog", group="adm") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath: /var/log/syslog
|
||||
+ filegid: '4'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..655b2cd1aef
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
|
||||
@@ -0,0 +1,65 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: ubuntu2004
|
||||
+
|
||||
+title: 'Verify that system commands directories are group owned by root'
|
||||
+
|
||||
+description: |-
|
||||
+ System commands files are stored in the following directories by default:
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/sbin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin
|
||||
+ </pre>
|
||||
+ All these directories should be owned by the <tt>root</tt> group.
|
||||
+ If the directory is found to be owned by a group other than root correct
|
||||
+ its ownership with the following command:
|
||||
+ <pre>$ sudo chgrp root <i>DIR</i></pre>
|
||||
+
|
||||
+rationale: |-
|
||||
+ If the operating system allows any user to make changes to software
|
||||
+ libraries, then those changes might be implemented without undergoing the
|
||||
+ appropriate testing and approvals that are part of a robust change management
|
||||
+ process.
|
||||
+ This requirement applies to operating systems with software libraries
|
||||
+ that are accessible and configurable, as in the case of interpreted languages.
|
||||
+ Software libraries also include privileged programs which execute with
|
||||
+ escalated privileges. Only qualified and authorized individuals must be
|
||||
+ allowed to obtain access to information system components for purposes
|
||||
+ of initiating changes, including upgrades and modifications.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001495
|
||||
+ srg: SRG-OS-000258-GPOS-00099
|
||||
+ stigid@ubuntu2004: UBTU-20-010425
|
||||
+
|
||||
+ocil_clause: 'any of these directories are not owned by root group'
|
||||
+
|
||||
+ocil: |-
|
||||
+ System commands are stored in the following directories:
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/sbin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin</pre>
|
||||
+ For each of these directories, run the following command to find files not
|
||||
+ owned by root group:
|
||||
+ <pre>$ sudo find -L <i>$DIR</i> ! -group root -type d \;</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /bin/
|
||||
+ - /sbin/
|
||||
+ - /usr/bin/
|
||||
+ - /usr/sbin/
|
||||
+ - /usr/local/bin/
|
||||
+ - /usr/local/sbin/
|
||||
+ recursive: 'true'
|
||||
+ filegid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
|
||||
deleted file mode 100644
|
||||
index 28df7839430..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
|
||||
+++ /dev/null
|
||||
@@ -1,23 +0,0 @@
|
||||
-# platform = multi_platform_sle
|
||||
-# reboot = false
|
||||
-# strategy = restrict
|
||||
-# complexity = medium
|
||||
-# disruption = medium
|
||||
-- name: "Read list libraries without root ownership"
|
||||
- find:
|
||||
- paths:
|
||||
- - "/usr/lib"
|
||||
- - "/usr/lib64"
|
||||
- - "/lib"
|
||||
- - "/lib64"
|
||||
- file_type: "directory"
|
||||
- register: library_dirs_not_owned_by_root
|
||||
-
|
||||
-- name: "Set ownership of system library dirs to root"
|
||||
- file:
|
||||
- path: "{{ item.path }}"
|
||||
- owner: "root"
|
||||
- state: "directory"
|
||||
- mode: "{{ item.mode }}"
|
||||
- with_items: "{{ library_dirs_not_owned_by_root.files }}"
|
||||
- when: library_dirs_not_owned_by_root.matched > 0
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..f61a5f988dc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
|
||||
@@ -0,0 +1,77 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: ubuntu2004
|
||||
+
|
||||
+title: 'Verify that audit tools are owned by group root'
|
||||
+
|
||||
+description: |-
|
||||
+ The {{{ full_name }}} operating system audit tools must have the proper
|
||||
+ ownership configured to protected against unauthorized access.
|
||||
+
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl root
|
||||
+ /sbin/aureport root
|
||||
+ /sbin/ausearch root
|
||||
+ /sbin/autrace root
|
||||
+ /sbin/auditd root
|
||||
+ /sbin/audispd root
|
||||
+ /sbin/augenrules root
|
||||
+ </pre>
|
||||
+
|
||||
+ Audit tools needed to successfully view and manipulate audit information
|
||||
+ system activity and records. Audit tools include custom queries and report
|
||||
+ generators
|
||||
+
|
||||
+rationale: |-
|
||||
+ Protecting audit information also includes identifying and protecting the
|
||||
+ tools used to view and manipulate log data. Therefore, protecting audit
|
||||
+ tools is necessary to prevent unauthorized operation on audit information.
|
||||
+
|
||||
+ Operating systems providing tools to interface with audit information
|
||||
+ will leverage user permissions and roles identifying the user accessing the
|
||||
+ tools and the corresponding rights the user enjoys to make access decisions
|
||||
+ regarding the access to audit tools.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001493,CCI-001494
|
||||
+ srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
|
||||
+ stigid@ubuntu2004: UBTU-20-010201
|
||||
+
|
||||
+ocil: |-
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl root
|
||||
+ /sbin/aureport root
|
||||
+ /sbin/ausearch root
|
||||
+ /sbin/autrace root
|
||||
+ /sbin/auditd root
|
||||
+ /sbin/audispd root
|
||||
+ /sbin/augenrules root
|
||||
+ </pre>
|
||||
+
|
||||
+ If the command does not return all the above lines, the missing ones
|
||||
+ need to be added.
|
||||
+
|
||||
+ Run the following command to correct the permissions of the missing
|
||||
+ entries:
|
||||
+ <pre>$ sudo chown :root [audit_tool] </pre>
|
||||
+
|
||||
+ Replace "[audit_tool]" with each audit tool not group-owned by root.
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /sbin/auditctl
|
||||
+ - /sbin/aureport
|
||||
+ - /sbin/ausearch
|
||||
+ - /sbin/autrace
|
||||
+ - /sbin/auditd
|
||||
+ - /sbin/audispd
|
||||
+ - /sbin/augenrules
|
||||
+ filegid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
index bb7c72550e9..a9e8c7d8e25 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
|
||||
do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
|
||||
index 7cf507ca5f4..33a0c85d35b 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
|
||||
@@ -1,10 +1,12 @@
|
||||
#!/bin/bash
|
||||
|
||||
+groupadd group_test
|
||||
+
|
||||
for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
|
||||
do
|
||||
if [[ ! -f $TESTFILE ]]
|
||||
then
|
||||
touch $TESTFILE
|
||||
fi
|
||||
- chown nobody.nobody $TESTFILE
|
||||
+ chgrp group_test $TESTFILE
|
||||
done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
|
||||
deleted file mode 100644
|
||||
index 08019fd48bb..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
|
||||
+++ /dev/null
|
||||
@@ -1,26 +0,0 @@
|
||||
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
-# reboot = false
|
||||
-# strategy = restrict
|
||||
-# complexity = high
|
||||
-# disruption = medium
|
||||
-
|
||||
-- name: "Read list libraries without root ownership"
|
||||
- find:
|
||||
- paths:
|
||||
- - "/usr/lib"
|
||||
- - "/usr/lib64"
|
||||
- - "/lib"
|
||||
- - "/lib64"
|
||||
- file_type: "file"
|
||||
- register: library_files_not_group_owned_by_root
|
||||
-
|
||||
-- name: "Set group ownership of system library files to root"
|
||||
- file:
|
||||
- path: "{{ item.path }}"
|
||||
- group: "root"
|
||||
- state: "file"
|
||||
- mode: "{{ item.mode }}"
|
||||
- with_items: "{{ library_files_not_group_owned_by_root.files }}"
|
||||
- when:
|
||||
- - library_files_not_group_owned_by_root.matched > 0
|
||||
- - item.gid != 0
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
|
||||
deleted file mode 100644
|
||||
index 3a42beafb8a..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
|
||||
+++ /dev/null
|
||||
@@ -1,7 +0,0 @@
|
||||
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
-
|
||||
-find /lib \
|
||||
-/lib64 \
|
||||
-/usr/lib \
|
||||
-/usr/lib64 \
|
||||
-\! -group root -type f -exec chgrp root '{}' \;
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
||||
deleted file mode 100644
|
||||
index f5ca9380b55..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
||||
+++ /dev/null
|
||||
@@ -1,27 +0,0 @@
|
||||
-<def-group>
|
||||
- <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
|
||||
- {{{ oval_metadata("
|
||||
- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
|
||||
- are owned by root.
|
||||
- ") }}}
|
||||
- <criteria >
|
||||
- <criterion test_ref="test_root_permissions_for_syslibrary_files" />
|
||||
- </criteria>
|
||||
- </definition>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
|
||||
- <unix:object object_ref="root_permissions_for_system_wide_library_files" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
|
||||
- <!-- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
|
||||
- are owned by root. -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>
|
||||
- <unix:filename operation="pattern match">^.*$</unix:filename>
|
||||
- <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
|
||||
- <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
|
||||
- </unix:file_state>
|
||||
-</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
index 17923f52ea6..eaf04c8d36c 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15
|
||||
+prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
|
||||
|
||||
title: |-
|
||||
Verify the system-wide library files in directories
|
||||
@@ -46,6 +46,7 @@ references:
|
||||
stigid@rhel8: RHEL-08-010350
|
||||
stigid@sle12: SLES-12-010875
|
||||
stigid@sle15: SLES-15-010355
|
||||
+ stigid@ubuntu2004: UBTU-20-01430
|
||||
|
||||
ocil_clause: 'system wide library files are not group owned by root'
|
||||
|
||||
@@ -59,3 +60,14 @@ ocil: |-
|
||||
To find if system-wide library files stored in these directories are not group-owned by
|
||||
root run the following command for each directory <i>DIR</i>:
|
||||
<pre>$ sudo find -L <i>DIR</i> ! -group root -type f </pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /lib/
|
||||
+ - /lib64/
|
||||
+ - /usr/lib/
|
||||
+ - /usr/lib64/
|
||||
+ file_regex: ^.*$
|
||||
+ filegid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
||||
similarity index 86%
|
||||
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
||||
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
||||
index a4ae2854db1..0e982c3b8ca 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
|
||||
do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
||||
similarity index 70%
|
||||
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
||||
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
||||
index c96f65b989c..23a7703f57d 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
||||
@@ -1,10 +1,11 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
+groupadd group_test
|
||||
for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
|
||||
do
|
||||
if [[ ! -f $TESTFILE ]]
|
||||
then
|
||||
touch $TESTFILE
|
||||
fi
|
||||
- chown nobody.nobody $TESTFILE
|
||||
+ chgrp group_test $TESTFILE
|
||||
done
|
||||
diff --git a/shared/templates/file_groupowner/tests/missing_file_test.pass.sh b/shared/templates/file_groupowner/tests/missing_file_test.pass.sh
|
||||
index 938e6b30819..015ff98c99d 100644
|
||||
--- a/shared/templates/file_groupowner/tests/missing_file_test.pass.sh
|
||||
+++ b/shared/templates/file_groupowner/tests/missing_file_test.pass.sh
|
||||
@@ -1,8 +1,20 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
|
||||
-{{% if MISSING_FILE_PASS %}}
|
||||
- rm -f {{{ FILEPATH }}}
|
||||
-{{% else %}}
|
||||
- true
|
||||
-{{% endif %}}
|
||||
+{{% for path in FILEPATH %}}
|
||||
+ {{% if MISSING_FILE_PASS %}}
|
||||
+ rm -f {{{ path }}}
|
||||
+ {{% else %}}
|
||||
+ {{% if IS_DIRECTORY and FILE_REGEX %}}
|
||||
+ echo "Create specific tests for this rule because of regex"
|
||||
+ {{% elif IS_DIRECTORY and RECURSIVE %}}
|
||||
+ find -L {{{ path }}} -type d -exec chgrp {{{ FILEGID }}} {} \;
|
||||
+ {{% else %}}
|
||||
+ if [ ! -f {{{ path }}} ]; then
|
||||
+ mkdir -p "$(dirname '{{{ path }}}')"
|
||||
+ touch {{{ path }}}
|
||||
+ fi
|
||||
+ chgrp {{{ FILEGID }}} {{{ path }}}
|
||||
+ {{% endif %}}
|
||||
+ {{% endif %}}
|
||||
+{{% endfor %}}
|
@ -1,288 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..968ef336148
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
|
||||
@@ -0,0 +1,39 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Audit Configuration Files Must Be Owned By Root'
|
||||
+
|
||||
+description: |-
|
||||
+ All audit configuration files must be owned by root user.
|
||||
+ {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
|
||||
+ {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
|
||||
+
|
||||
+rationale: |-
|
||||
+ Without the capability to restrict which roles and individuals can
|
||||
+ select which events are audited, unauthorized personnel may be able
|
||||
+ to prevent the auditing of critical events.
|
||||
+ Misconfigured audits may degrade the system's performance by
|
||||
+ overwhelming the audit log. Misconfigured audits may also make it more
|
||||
+ difficult to establish, correlate, and investigate the events relating
|
||||
+ to an incident or identify those responsible for one.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000171
|
||||
+ srg: SRG-OS-000063-GPOS-00032
|
||||
+ stigid@ubuntu2004: UBTU-20-010134
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
|
||||
+ {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /etc/audit/
|
||||
+ - /etc/audit/rules.d/
|
||||
+ file_regex:
|
||||
+ - ^audit(\.rules|d\.conf)$
|
||||
+ - ^.*\.rules$
|
||||
+ fileuid: '0'
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..4d67307a1ef
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = audit
|
||||
+
|
||||
+chown 0 /etc/audit/audit.rules
|
||||
+chown 0 /etc/audit/auditd.conf
|
||||
+chown 0 -R /etc/audit/rules.d/
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..337074fab92
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# packages = audit
|
||||
+
|
||||
+useradd testuser_123
|
||||
+chown testuser_123 /etc/audit/audit.rules
|
||||
+chown testuser_123 /etc/audit/auditd.conf
|
||||
+chown testuser_123 -R /etc/audit/rules.d/
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..f1bf515455d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
|
||||
@@ -0,0 +1,27 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Verify User Who Owns /var/log/syslog File'
|
||||
+
|
||||
+description: '{{{ describe_file_owner(file="/var/log/syslog", owner="syslog") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
|
||||
+ the system and should only be accessed by authorized personnel.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001314
|
||||
+ srg: SRG-OS-000206-GPOS-00084
|
||||
+ stigid@ubuntu2004: UBTU-20-010421
|
||||
+
|
||||
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="syslog") }}}'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_file_owner(file="/var/log/syslog", owner="syslog") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath: /var/log/syslog
|
||||
+ fileuid: '104'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..e2362388678
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
||||
@@ -0,0 +1,55 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Verify that System Executable Have Root Ownership'
|
||||
+
|
||||
+description: |-
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/sbin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin</pre>
|
||||
+ All these directories should be owned by the <tt>root</tt> user.
|
||||
+ If any directory <i>DIR</i> in these directories is found
|
||||
+ to be owned by a user other than root, correct its ownership with the
|
||||
+ following command:
|
||||
+ <pre>$ sudo chown root <i>DIR</i></pre>
|
||||
+
|
||||
+rationale: |-
|
||||
+ System binaries are executed by privileged users as well as system services,
|
||||
+ and restrictive permissions are necessary to ensure that their
|
||||
+ execution of these programs cannot be co-opted.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001495
|
||||
+ srg: SRG-OS-000258-GPOS-00099
|
||||
+ stigid@ubuntu2004: UBTU-20-010424
|
||||
+
|
||||
+ocil_clause: 'any system exectables directories are found to not be owned by root'
|
||||
+
|
||||
+ocil: |-
|
||||
+ System executables are stored in the following directories by default:
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin
|
||||
+ /usr/sbin</pre>
|
||||
+ For each of these directories, run the following command to find files
|
||||
+ not owned by root:
|
||||
+ <pre>$ sudo find -L <i>DIR/</i> ! -user root -type d -exec chown root {} \;</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /bin/
|
||||
+ - /sbin/
|
||||
+ - /usr/bin/
|
||||
+ - /usr/sbin/
|
||||
+ - /usr/local/bin/
|
||||
+ - /usr/local/sbin/
|
||||
+ recursive: 'true'
|
||||
+ fileuid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..0c7d9b313d5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
|
||||
@@ -0,0 +1,77 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: ubuntu2004
|
||||
+
|
||||
+title: 'Verify that audit tools are owned by root'
|
||||
+
|
||||
+description: |-
|
||||
+ The {{{ full_name }}} operating system audit tools must have the proper
|
||||
+ ownership configured to protected against unauthorized access.
|
||||
+
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl root
|
||||
+ /sbin/aureport root
|
||||
+ /sbin/ausearch root
|
||||
+ /sbin/autrace root
|
||||
+ /sbin/auditd root
|
||||
+ /sbin/audispd root
|
||||
+ /sbin/augenrules root
|
||||
+ </pre>
|
||||
+
|
||||
+ Audit tools needed to successfully view and manipulate audit information
|
||||
+ system activity and records. Audit tools include custom queries and report
|
||||
+ generators
|
||||
+
|
||||
+rationale: |-
|
||||
+ Protecting audit information also includes identifying and protecting the
|
||||
+ tools used to view and manipulate log data. Therefore, protecting audit
|
||||
+ tools is necessary to prevent unauthorized operation on audit information.
|
||||
+
|
||||
+ Operating systems providing tools to interface with audit information
|
||||
+ will leverage user permissions and roles identifying the user accessing the
|
||||
+ tools and the corresponding rights the user enjoys to make access decisions
|
||||
+ regarding the access to audit tools.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001493,CCI-001494
|
||||
+ srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
|
||||
+ stigid@ubuntu2004: UBTU-20-010200
|
||||
+
|
||||
+ocil: |-
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl root
|
||||
+ /sbin/aureport root
|
||||
+ /sbin/ausearch root
|
||||
+ /sbin/autrace root
|
||||
+ /sbin/auditd root
|
||||
+ /sbin/audispd root
|
||||
+ /sbin/augenrules root
|
||||
+ </pre>
|
||||
+
|
||||
+ If the command does not return all the above lines, the missing ones
|
||||
+ need to be added.
|
||||
+
|
||||
+ Run the following command to correct the permissions of the missing
|
||||
+ entries:
|
||||
+ <pre>$ sudo chown root [audit_tool] </pre>
|
||||
+
|
||||
+ Replace "[audit_tool]" with each audit tool not owned by root.
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /sbin/auditctl
|
||||
+ - /sbin/aureport
|
||||
+ - /sbin/ausearch
|
||||
+ - /sbin/autrace
|
||||
+ - /sbin/auditd
|
||||
+ - /sbin/audispd
|
||||
+ - /sbin/augenrules
|
||||
+ fileuid: '0'
|
||||
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
|
||||
index 80eaae8d50b..590c9fc6055 100644
|
||||
--- a/shared/templates/file_owner/ansible.template
|
||||
+++ b/shared/templates/file_owner/ansible.template
|
||||
@@ -25,7 +25,7 @@
|
||||
|
||||
- name: Ensure owner on {{{ path }}} recursively
|
||||
file:
|
||||
- paths "{{{ path }}}"
|
||||
+ path: "{{{ path }}}"
|
||||
state: directory
|
||||
recurse: yes
|
||||
owner: "{{{ FILEUID }}}"
|
||||
diff --git a/shared/templates/file_owner/tests/missing_file_test.pass.sh b/shared/templates/file_owner/tests/missing_file_test.pass.sh
|
||||
index 938e6b30819..4e3683f9dcf 100644
|
||||
--- a/shared/templates/file_owner/tests/missing_file_test.pass.sh
|
||||
+++ b/shared/templates/file_owner/tests/missing_file_test.pass.sh
|
||||
@@ -1,8 +1,18 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
|
||||
-{{% if MISSING_FILE_PASS %}}
|
||||
- rm -f {{{ FILEPATH }}}
|
||||
-{{% else %}}
|
||||
- true
|
||||
-{{% endif %}}
|
||||
+{{% for path in FILEPATH %}}
|
||||
+ {{% if MISSING_FILE_PASS %}}
|
||||
+ rm -f {{{ path }}}
|
||||
+ {{% else %}}
|
||||
+ {{% if IS_DIRECTORY and RECURSIVE %}}
|
||||
+ find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \;
|
||||
+ {{% else %}}
|
||||
+ if [ ! -f {{{ path }}} ]; then
|
||||
+ mkdir -p "$(dirname '{{{ path }}}')"
|
||||
+ touch {{{ path }}}
|
||||
+ fi
|
||||
+ chown {{{ FILEUID }}} {{{ path }}}
|
||||
+ {{% endif %}}
|
||||
+ {{% endif %}}
|
||||
+{{% endfor %}}
|
@ -1,409 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh
|
||||
new file mode 100644
|
||||
index 00000000000..93fd73e6ece
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+# platform = multi_platform_ubuntu
|
||||
+
|
||||
+readarray -t files < <(find /var/log/)
|
||||
+for file in "${files[@]}"; do
|
||||
+ if basename $file | grep -qE '^.*$'; then
|
||||
+ chmod 0640 $file
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+if grep -qE "^f \/var\/log\/(btmp|wtmp|lastlog)? " /usr/lib/tmpfiles.d/var.conf; then
|
||||
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/btmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
|
||||
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/wtmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
|
||||
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/lastlog[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml
|
||||
deleted file mode 100644
|
||||
index dd95ce05936..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml
|
||||
+++ /dev/null
|
||||
@@ -1,36 +0,0 @@
|
||||
-<def-group>
|
||||
- <definition class="compliance" id="permissions_local_var_log" version="1">
|
||||
- {{{ oval_metadata("
|
||||
- Checks that files in /var/log have permission at least 0640
|
||||
- ") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion test_ref="test_mode_log_files" />
|
||||
- </criteria>
|
||||
- </definition>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="log file with less restrictive permission than 0640" id="test_mode_log_files" version="1">
|
||||
- <unix:object object_ref="object_file_mode_log_files" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_object comment="log files" id="object_file_mode_log_files" version="1">
|
||||
- <unix:path operation="pattern match">^\/var\/log\/</unix:path>
|
||||
- <unix:filename operation="pattern match">^.*$</unix:filename>
|
||||
- <filter action="include">log_files_permission_more_0640</filter>
|
||||
- <filter action="exclude">var_log_symlinks</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_state id="log_files_permission_more_0640" version="1" operator="OR">
|
||||
- <!-- if any one of these is true then mode is NOT 0640 (hence the OR operator) -->
|
||||
- <unix:uexec datatype="boolean">true</unix:uexec>
|
||||
- <unix:gwrite datatype="boolean">true</unix:gwrite>
|
||||
- <unix:gexec datatype="boolean">true</unix:gexec>
|
||||
- <unix:oread datatype="boolean">true</unix:oread>
|
||||
- <unix:owrite datatype="boolean">true</unix:owrite>
|
||||
- <unix:oexec datatype="boolean">true</unix:oexec>
|
||||
- </unix:file_state>
|
||||
-
|
||||
- <unix:file_state id="var_log_symlinks" version="1">
|
||||
- <unix:type operation="equals">symbolic link</unix:type>
|
||||
- </unix:file_state>
|
||||
-
|
||||
-</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
|
||||
index 2b0431b7763..9ce79cfde4e 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
|
||||
@@ -47,3 +47,10 @@ ocil: |-
|
||||
<pre>
|
||||
sudo find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;
|
||||
</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath: /var/log/
|
||||
+ file_regex: '.*'
|
||||
+ filemode: '0640'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
|
||||
index 5317ef272b8..1793259cff5 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
|
||||
@@ -1,5 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
+chmod -R 640 /var/log
|
||||
mkdir -p /var/log/testme
|
||||
touch /var/log/testme/test.log
|
||||
chmod 640 /var/log/testme/test.log
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
|
||||
index 83db1acf8d3..69b081473a5 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
+chmod -R 640 /var/log/
|
||||
mkdir -p /var/log/testme
|
||||
chmod 777 /var/log/testme
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh
|
||||
new file mode 100644
|
||||
index 00000000000..93962ea66a7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_ubuntu
|
||||
+
|
||||
+chmod 0755 /var/log/
|
||||
+
|
||||
+if grep -q "^z \/var\/log " /usr/lib/tmpfiles.d/00rsyslog.conf; then
|
||||
+ sed -i --follow-symlinks "s/\(^z[[:space:]]\+\/var\/log[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10755/" /usr/lib/tmpfiles.d/00rsyslog.conf
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..73258d40fdc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml
|
||||
@@ -0,0 +1,28 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Verify Permissions on /var/log/syslog File'
|
||||
+
|
||||
+description: |-
|
||||
+ {{{ describe_file_permissions(file="/var/log/syslog", perms="0640") }}}
|
||||
+
|
||||
+rationale: |-
|
||||
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
|
||||
+ the system and should only be accessed by authorized personnel.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001314
|
||||
+ srg: SRG-OS-000206-GPOS-00084
|
||||
+ stigid@ubuntu2004: UBTU-20-010422
|
||||
+
|
||||
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}}'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath: /var/log/syslog
|
||||
+ filemode: '0640'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..a666c768870
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml
|
||||
@@ -0,0 +1,57 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Verify that System Executable Directories Have Restrictive Permissions'
|
||||
+
|
||||
+description: |-
|
||||
+ System executables are stored in the following directories by default:
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/sbin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin</pre>
|
||||
+ These directories should not be group-writable or world-writable.
|
||||
+ If any directory <i>DIR</i> in these directories is found to be
|
||||
+ group-writable or world-writable, correct its permission with the
|
||||
+ following command:
|
||||
+ <pre>$ sudo chmod go-w <i>DIR</i></pre>
|
||||
+
|
||||
+rationale: |-
|
||||
+ System binaries are executed by privileged users, as well as system services,
|
||||
+ and restrictive permissions are necessary to ensure execution of these programs
|
||||
+ cannot be co-opted.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001495
|
||||
+ srg: SRG-OS-000258-GPOS-00099
|
||||
+ stigid@ubuntu2004: UBTU-20-010423
|
||||
+
|
||||
+ocil_clause: 'any of these files are group-writable or world-writable'
|
||||
+
|
||||
+ocil: |-
|
||||
+ System executables are stored in the following directories by default:
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/sbin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin</pre>
|
||||
+ To find system executables directories that are group-writable or
|
||||
+ world-writable, run the following command for each directory <i>DIR</i>
|
||||
+ which contains system executables:
|
||||
+ <pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /bin/
|
||||
+ - /sbin/
|
||||
+ - /usr/bin/
|
||||
+ - /usr/sbin/
|
||||
+ - /usr/local/bin/
|
||||
+ - /usr/local/sbin/
|
||||
+ recursive: 'true'
|
||||
+ filemode: '0755'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
index 3f7239deef9..af078463b05 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \;
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
index 1f68586853d..d58616bcafb 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
@@ -1,5 +1,6 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
+ chmod -R 755 "$dirPath"
|
||||
mkdir -p "$dirPath/testme" && chmod 700 "$dirPath/testme"
|
||||
done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
index b60a7269568..98d18cde3ea 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
DIRS="/lib /lib64"
|
||||
for dirPath in $DIRS; do
|
||||
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
index 5438b51bb6a..6df6e2f8f9b 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
DIRS="/usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..da42e997478
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml
|
||||
@@ -0,0 +1,78 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: ubuntu2004
|
||||
+
|
||||
+title: 'Verify that audit tools Have Mode 0755 or less'
|
||||
+
|
||||
+description: |-
|
||||
+ The {{{ full_name }}} operating system audit tools must have the proper
|
||||
+ permissions configured to protected against unauthorized access.
|
||||
+
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl 755
|
||||
+ /sbin/aureport 755
|
||||
+ /sbin/ausearch 755
|
||||
+ /sbin/autrace 755
|
||||
+ /sbin/auditd 755
|
||||
+ /sbin/audispd 755
|
||||
+ /sbin/augenrules 755
|
||||
+ </pre>
|
||||
+
|
||||
+ Audit tools needed to successfully view and manipulate audit information
|
||||
+ system activity and records. Audit tools include custom queries and report
|
||||
+ generators
|
||||
+
|
||||
+rationale: |-
|
||||
+ Protecting audit information also includes identifying and protecting the
|
||||
+ tools used to view and manipulate log data. Therefore, protecting audit
|
||||
+ tools is necessary to prevent unauthorized operation on audit information.
|
||||
+
|
||||
+ Operating systems providing tools to interface with audit information
|
||||
+ will leverage user permissions and roles identifying the user accessing the
|
||||
+ tools and the corresponding rights the user enjoys to make access decisions
|
||||
+ regarding the access to audit tools.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001493,CCI-001494
|
||||
+ srg: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098
|
||||
+ stigid@ubuntu2004: UBTU-20-010199
|
||||
+
|
||||
+ocil: |-
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl 755
|
||||
+ /sbin/aureport 755
|
||||
+ /sbin/ausearch 755
|
||||
+ /sbin/autrace 755
|
||||
+ /sbin/auditd 755
|
||||
+ /sbin/audispd 755
|
||||
+ /sbin/augenrules 755
|
||||
+ </pre>
|
||||
+
|
||||
+ If the command does not return all the above lines, the missing ones
|
||||
+ need to be added.
|
||||
+
|
||||
+ Run the following command to correct the permissions of the missing
|
||||
+ entries:
|
||||
+ <pre>$ sudo chmod 0755 [audit_tool] </pre>
|
||||
+
|
||||
+ Replace "[audit_tool]" with the audit tool that does not have the
|
||||
+ correct permissions.
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /sbin/auditctl
|
||||
+ - /sbin/aureport
|
||||
+ - /sbin/ausearch
|
||||
+ - /sbin/autrace
|
||||
+ - /sbin/auditd
|
||||
+ - /sbin/audispd
|
||||
+ - /sbin/augenrules
|
||||
+ filemode: '0755'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
|
||||
index de2e1e98dfa..ab89b277a52 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
|
||||
DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
|
||||
for dirPath in $DIRS; do
|
||||
find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..59b8838581c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
|
||||
+for dirPath in $DIRS; do
|
||||
+ find "$dirPath" -perm /022 -type f -exec chmod 0755 '{}' \;
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..9d9ce30064b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
|
||||
+for dirPath in $DIRS; do
|
||||
+ find "$dirPath" -type f -exec chmod 0777 '{}' \;
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..de388e63325
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
+for dirPath in $DIRS; do
|
||||
+ chmod -R 755 "$dirPath"
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..913e75e7b17
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
+for dirPath in $DIRS; do
|
||||
+ find "$dirPath" -type d -exec chmod go-w '{}' \;
|
||||
+ find "$dirPath" -type f -exec chmod go+w '{}' \;
|
||||
+done
|
||||
diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template
|
||||
index 89083e812c1..6b3616a7f42 100644
|
||||
--- a/shared/templates/file_permissions/oval.template
|
||||
+++ b/shared/templates/file_permissions/oval.template
|
||||
@@ -67,6 +67,11 @@
|
||||
#}}
|
||||
<filter action="include">state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_not_{{{ FILEMODE }}}</filter>
|
||||
{{%- endif %}}
|
||||
+ <filter action="exclude">exclude_symlinks_{{{ FILEID }}}</filter>
|
||||
</unix:file_object>
|
||||
{{% endfor %}}
|
||||
+
|
||||
+ <unix:file_state id="exclude_symlinks_{{{ FILEID }}}" version="1">
|
||||
+ <unix:type operation="equals">symbolic link</unix:type>
|
||||
+ </unix:file_state>
|
||||
</def-group>
|
@ -1,44 +0,0 @@
|
||||
From 1c054ed40a4dbc2a48ffe7720d018c317cad8105 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 15 Feb 2022 14:12:55 +0100
|
||||
Subject: [PATCH] Simply mask services that should be disabled
|
||||
|
||||
At some point Ansible started to return much more services in
|
||||
ansible_facts.services, including services that are not installed.
|
||||
This caused the task to think that the service exists, attempt to stop
|
||||
and mask the service.
|
||||
But systemd module fatal errors on non existing services, although the
|
||||
module ends up masking the service in question.
|
||||
|
||||
The bash remediations simply mask the service, even if it is not
|
||||
installed.
|
||||
Let's do the same with Ansible, mask the service and ignore errors.
|
||||
|
||||
One down side is that every non-existing service is reported as an
|
||||
error, which is ignored. But still a fatal error.
|
||||
---
|
||||
shared/templates/service_disabled/ansible.template | 5 +----
|
||||
1 file changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
|
||||
index 550ed563056..254f41ac7fd 100644
|
||||
--- a/shared/templates/service_disabled/ansible.template
|
||||
+++ b/shared/templates/service_disabled/ansible.template
|
||||
@@ -6,16 +6,13 @@
|
||||
{{%- if init_system == "systemd" %}}
|
||||
- name: Disable service {{{ SERVICENAME }}}
|
||||
block:
|
||||
- - name: Gather the service facts
|
||||
- service_facts:
|
||||
-
|
||||
- name: Disable service {{{ SERVICENAME }}}
|
||||
systemd:
|
||||
name: "{{{ DAEMONNAME }}}.service"
|
||||
enabled: "no"
|
||||
state: "stopped"
|
||||
masked: "yes"
|
||||
- when: '"{{{ DAEMONNAME }}}.service" in ansible_facts.services'
|
||||
+ ignore_errors: 'yes'
|
||||
|
||||
- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
|
||||
command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
|
@ -1,22 +0,0 @@
|
||||
From 50eb163d9e9751c2e8cf8129523a8cf7e07a5930 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Thu, 17 Feb 2022 12:49:32 -0600
|
||||
Subject: [PATCH] get_implemented_stigs in utils/create_scap_delta_tailoring.py
|
||||
should return the implemented stig items
|
||||
|
||||
---
|
||||
utils/create_scap_delta_tailoring.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/utils/create_scap_delta_tailoring.py b/utils/create_scap_delta_tailoring.py
|
||||
index 2c3c5d0df32..25ad1aef66e 100755
|
||||
--- a/utils/create_scap_delta_tailoring.py
|
||||
+++ b/utils/create_scap_delta_tailoring.py
|
||||
@@ -127,6 +127,7 @@ def get_implemented_stigs(product, root_path, build_config_yaml_path,
|
||||
known_rules[ref].append(rule['id'])
|
||||
else:
|
||||
known_rules[ref] = [rule['id']]
|
||||
+ return known_rules
|
||||
|
||||
|
||||
get_implemented_stigs.__annotations__ = {'product': str, 'root_path': str,
|
@ -1,116 +0,0 @@
|
||||
From bc2f72ff8a23b508cef88a363e75e73474625775 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 22 Feb 2022 17:15:43 +0100
|
||||
Subject: [PATCH 1/3] remove extend definition from ovals
|
||||
|
||||
---
|
||||
.../software/integrity/fips/enable_fips_mode/oval/rhcos4.xml | 1 -
|
||||
.../software/integrity/fips/enable_fips_mode/oval/shared.xml | 1 -
|
||||
2 files changed, 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
|
||||
index c5ae0550e6b..52d86fd4478 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
|
||||
@@ -5,7 +5,6 @@
|
||||
<extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
|
||||
<extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="proc_sys_crypto_fips_enabled" />
|
||||
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
|
||||
- <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
||||
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
|
||||
</criteria>
|
||||
</definition>
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index 699dca06dd1..6c3f57e143f 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -6,7 +6,6 @@
|
||||
<extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
|
||||
<extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
|
||||
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
|
||||
- <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
||||
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
From dbbea1998e189c4a27edc700478f55e2dfda56f8 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 22 Feb 2022 17:17:28 +0100
|
||||
Subject: [PATCH 2/3] chang warning and description
|
||||
|
||||
---
|
||||
.../integrity/fips/enable_fips_mode/rule.yml | 25 ++++---------------
|
||||
1 file changed, 5 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
||||
index 9d89114b07f..6b055eac8ff 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
||||
@@ -13,11 +13,9 @@ description: |-
|
||||
<ul>
|
||||
<li>Setting the kernel FIPS mode flag (<tt>/proc/sys/crypto/fips_enabled</tt>) to <tt>1</tt></li>
|
||||
<li>Creating <tt>/etc/system-fips</tt></li>
|
||||
- <li>Setting the system crypto policy in <tt>/etc/crypto-policies/config</tt> to <tt>FIPS</tt></li>
|
||||
+ <li>Setting the system crypto policy in <tt>/etc/crypto-policies/config</tt> to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt></li>
|
||||
<li>Loading the Dracut <tt>fips</tt> module</li>
|
||||
</ul>
|
||||
- This rule also ensures that the system policy is set to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>.
|
||||
- Furthermore, the system running in FIPS mode should be FIPS certified by NIST.
|
||||
|
||||
rationale: |-
|
||||
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
|
||||
@@ -48,7 +46,7 @@ references:
|
||||
ocil_clause: 'FIPS mode is not enabled'
|
||||
|
||||
ocil: |-
|
||||
- To verify that FIPS is enabled properly, run the following command:
|
||||
+ To verify that FIPS mode is enabled properly, run the following command:
|
||||
<pre>fips-mode-setup --check</pre>
|
||||
The output should contain the following:
|
||||
<pre>FIPS mode is enabled.</pre>
|
||||
@@ -61,19 +59,6 @@ warnings:
|
||||
- general: |-
|
||||
The system needs to be rebooted for these changes to take effect.
|
||||
- regulatory: |-
|
||||
- System Crypto Modules must be provided by a vendor that undergoes
|
||||
- FIPS-140 certifications.
|
||||
- FIPS-140 is applicable to all Federal agencies that use
|
||||
- cryptographic-based security systems to protect sensitive information
|
||||
- in computer and telecommunication systems (including voice systems) as
|
||||
- defined in Section 5131 of the Information Technology Management Reform
|
||||
- Act of 1996, Public Law 104-106. This standard shall be used in
|
||||
- designing and implementing cryptographic modules that Federal
|
||||
- departments and agencies operate or are operated for them under
|
||||
- contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
|
||||
- To meet this, the system has to have cryptographic software provided by
|
||||
- a vendor that has undergone this certification. This means providing
|
||||
- documentation, test results, design information, and independent third
|
||||
- party review by an accredited lab. While open source software is
|
||||
- capable of meeting this, it does not meet FIPS-140 unless the vendor
|
||||
- submits to this process.
|
||||
+ This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
|
||||
+ You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}.
|
||||
+ This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
|
||||
|
||||
From 3c72eec95c617ee295099522d2817c6d217a7e63 Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Wed, 23 Feb 2022 09:16:09 +0100
|
||||
Subject: [PATCH 3/3] Update
|
||||
linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
||||
|
||||
Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
|
||||
---
|
||||
.../system/software/integrity/fips/enable_fips_mode/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
||||
index 6b055eac8ff..30cbc939bed 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
||||
@@ -60,5 +60,5 @@ warnings:
|
||||
The system needs to be rebooted for these changes to take effect.
|
||||
- regulatory: |-
|
||||
This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
|
||||
- You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}.
|
||||
+ You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search") }}}.
|
||||
This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
|
@ -1,854 +0,0 @@
|
||||
From 51a826878ade2ebb564405991937ba0e2b2b7717 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 2 Feb 2022 14:25:30 +0100
|
||||
Subject: [PATCH 1/8] create two macros
|
||||
|
||||
one provides description for grub2_argument templated rules
|
||||
the second provides ocil for those cases
|
||||
---
|
||||
shared/macros.jinja | 56 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 56 insertions(+)
|
||||
|
||||
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
||||
index 00358e2f67c..3d41c998b0c 100644
|
||||
--- a/shared/macros.jinja
|
||||
+++ b/shared/macros.jinja
|
||||
@@ -1620,3 +1620,59 @@ The audit daemon must be restarted for the changes to take effect.
|
||||
- no_ovirt
|
||||
{{%- endif %}}
|
||||
{{% endmacro %}}
|
||||
+
|
||||
+{{#
|
||||
+ Describe how to configure Grub2 to add an argument to the default kernel command line.
|
||||
+ The parameter should be in form `parameter=value`.
|
||||
+#}}
|
||||
+{{%- macro describe_grub2_argument(arg_name_value) -%}}
|
||||
+{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
|
||||
+To ensure that <tt>{{{ arg_name_value }}}</tt> is added as a kernel command line
|
||||
+argument to newly installed kernels, ad <tt>{{{ arg_name_value }}}</tt> to the
|
||||
+default Grub2 command line for Linux operating systems. Modify the line within
|
||||
+<tt>/etc/default/grub</tt> as shown below:
|
||||
+<pre>GRUB_CMDLINE_LINUX="... {{{ arg_name_value }}} ..."</pre>
|
||||
+Run the following command to update command line for already installed kernels:
|
||||
+{{%- if 'ubuntu' in product -%}}
|
||||
+<pre># update-grub</pre>
|
||||
+{{%- else -%}}
|
||||
+<pre># grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"</pre>
|
||||
+{{%- endif -%}}
|
||||
+{{%- else -%}}
|
||||
+Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}} as follows:
|
||||
+<pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ arg_name_value }}}"</pre>
|
||||
+{{%- endif -%}}
|
||||
+{{%- endmacro -%}}
|
||||
+
|
||||
+{{#
|
||||
+ Provide OCIL for checking if an argument for kernel command line is configured with Grub2.
|
||||
+ The parameter should have form `parameter=value`.
|
||||
+#}}
|
||||
+{{%- macro ocil_grub2_argument(arg_name_value) -%}}
|
||||
+{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
|
||||
+Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
+in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
|
||||
+then auditinng will be enabled for newly installed kernels.
|
||||
+First check if the GRUB recovery is enabled:
|
||||
+<pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
|
||||
+If this option is set to true, then check that a line is output by the following command:
|
||||
+<pre>$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>
|
||||
+If the recovery is disabled, check the line with
|
||||
+<pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
|
||||
+{{%- if 'ubuntu' in product -%}}
|
||||
+Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
||||
+<pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
|
||||
+This command should not return any output.
|
||||
+{{%- else -%}}
|
||||
+Moreover, command line parameters for currently installed kernels should be checked as well.
|
||||
+Run the following command:
|
||||
+<pre># grubby --info=ALL | grep args | grep -v '{{{ arg_name_value }}}'</pre>
|
||||
+The command should not return any output.
|
||||
+{{%- endif -%}}
|
||||
+{{%- else -%}}
|
||||
+Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
+in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then auditing
|
||||
+is enabled at boot time.
|
||||
+<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||||
+{{%- endif -%}}
|
||||
+{{%- endmacro -%}}
|
||||
|
||||
From c8cb579db19bd55eebcb0bdc4b1432368a5c1b77 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 2 Feb 2022 14:26:26 +0100
|
||||
Subject: [PATCH 2/8] use new macros in grub2_audit_argument
|
||||
|
||||
---
|
||||
.../auditing/grub2_audit_argument/rule.yml | 45 ++-----------------
|
||||
1 file changed, 3 insertions(+), 42 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||||
index 96dbe67699e..aff0521ee73 100644
|
||||
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||||
@@ -7,15 +7,8 @@ title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon'
|
||||
description: |-
|
||||
To ensure all processes can be audited, even those which start
|
||||
prior to the audit daemon, add the argument <tt>audit=1</tt> to the default
|
||||
- GRUB 2 command line for the Linux operating system in
|
||||
-{{% if product in ["rhel7", "ol7"] %}}
|
||||
- <tt>/etc/default/grub</tt>, so that the line looks similar to
|
||||
- <pre>GRUB_CMDLINE_LINUX="... audit=1 ..."</pre>
|
||||
- In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
|
||||
-{{% else %}}
|
||||
- <tt>{{{ grub2_boot_path }}}/grubenv</tt>, in the manner below:
|
||||
- <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"</pre>
|
||||
-{{% endif %}}
|
||||
+ GRUB 2 command line for the Linux operating system.
|
||||
+ {{{ describe_grub2_argument("audit=1") | indent(4) }}}
|
||||
|
||||
rationale: |-
|
||||
Each process on the system carries an "auditable" flag which indicates whether
|
||||
@@ -59,39 +52,7 @@ references:
|
||||
ocil_clause: 'auditing is not enabled at boot time'
|
||||
|
||||
ocil: |-
|
||||
-{{% if product in ["rhel7", "ol7", "sle12","sle15"] %}}
|
||||
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
- in <tt>/etc/default/grub</tt>. If it includes <tt>audit=1</tt>, then auditing
|
||||
- is enabled at boot time.
|
||||
- First check if the GRUB recovery is enabled:
|
||||
- <pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
|
||||
- If this option is set to true, then check that a line is output by the following command:
|
||||
- <pre>$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub</pre>
|
||||
- If the recovery is disabled, check the line with
|
||||
- <pre>$ grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub</pre>.
|
||||
- Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
||||
- <pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v 'audit=1'</pre>
|
||||
- This command should not return any output. If it does, update the configuration with
|
||||
- <pre># grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
|
||||
- <br /><br />
|
||||
- Alternatively, to ensure <tt>audit=1</tt> is configured on all installed kernels, the
|
||||
- following command may be used:
|
||||
- <br />
|
||||
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="audit=1"</pre>
|
||||
- <br />
|
||||
-{{% else %}}
|
||||
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
- in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>audit=1</tt>, then auditing
|
||||
- is enabled at boot time.
|
||||
- <pre># grep 'kernelopts.*audit=1.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||||
- <br /><br />
|
||||
- To ensure <tt>audit=1</tt> is configured on all installed kernels, the
|
||||
- following command may be used:
|
||||
- <br />
|
||||
- <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"</pre>
|
||||
- <br />
|
||||
-{{% endif %}}
|
||||
-
|
||||
+ {{{ ocil_grub2_argument("audit=1") | indent(4) }}}
|
||||
|
||||
warnings:
|
||||
- management: |-
|
||||
|
||||
From 3ff2c245408d3fe892222eee8171e2f84868f705 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 3 Feb 2022 14:25:34 +0100
|
||||
Subject: [PATCH 3/8] fix omission in ocil jinja macro
|
||||
|
||||
---
|
||||
shared/macros.jinja | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
||||
index 3d41c998b0c..16a0404b668 100644
|
||||
--- a/shared/macros.jinja
|
||||
+++ b/shared/macros.jinja
|
||||
@@ -1652,7 +1652,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
|
||||
{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
|
||||
Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
|
||||
-then auditinng will be enabled for newly installed kernels.
|
||||
+then the parameter will be configured for newly installed kernels.
|
||||
First check if the GRUB recovery is enabled:
|
||||
<pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
|
||||
If this option is set to true, then check that a line is output by the following command:
|
||||
@@ -1671,8 +1671,8 @@ The command should not return any output.
|
||||
{{%- endif -%}}
|
||||
{{%- else -%}}
|
||||
Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
-in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then auditing
|
||||
-is enabled at boot time.
|
||||
+in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
|
||||
+is configured at boot time.
|
||||
<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||||
{{%- endif -%}}
|
||||
{{%- endmacro -%}}
|
||||
|
||||
From 976da69681d03d9b9380fc57216c30c7b4891f50 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 3 Feb 2022 14:26:33 +0100
|
||||
Subject: [PATCH 4/8] use new jinja macros in all grub2 related rules
|
||||
|
||||
---
|
||||
.../rule.yml | 15 ++-----
|
||||
.../grub2_enable_iommu_force/rule.yml | 9 +++-
|
||||
.../grub2_init_on_alloc_argument/rule.yml | 18 ++------
|
||||
.../grub2_kernel_trust_cpu_rng/rule.yml | 11 ++---
|
||||
.../grub2_pti_argument/rule.yml | 15 ++-----
|
||||
.../grub2_vsyscall_argument/rule.yml | 15 ++-----
|
||||
.../grub2_ipv6_disable_argument/rule.yml | 45 ++-----------------
|
||||
.../grub2_page_poison_argument/rule.yml | 15 ++-----
|
||||
.../grub2_slub_debug_argument/rule.yml | 15 ++-----
|
||||
9 files changed, 33 insertions(+), 125 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
index f94ddab2fe1..868d525014f 100644
|
||||
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
@@ -7,9 +7,8 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon'
|
||||
description: |-
|
||||
To improve the kernel capacity to queue all log events, even those which occurred
|
||||
prior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to the default
|
||||
- GRUB 2 command line for the Linux operating system in
|
||||
- <tt>/etc/default/grub</tt>, in the manner below:
|
||||
- <pre>GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"</pre>
|
||||
+ GRUB 2 command line for the Linux operating system.
|
||||
+ {{{ describe_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
|
||||
|
||||
rationale: |-
|
||||
audit_backlog_limit sets the queue length for audit events awaiting transfer
|
||||
@@ -40,15 +39,7 @@ references:
|
||||
ocil_clause: 'audit backlog limit is not configured'
|
||||
|
||||
ocil: |-
|
||||
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
- in <tt>/etc/default/grub</tt>. If they include <tt>audit=1</tt>, then auditing
|
||||
- is enabled at boot time.
|
||||
- <br /><br />
|
||||
- To ensure <tt>audit_backlog_limit=8192</tt> is configured on all installed kernels, the
|
||||
- following command may be used:
|
||||
- <br />
|
||||
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=8192"</pre>
|
||||
- <br />
|
||||
+ {{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
|
||||
|
||||
warnings:
|
||||
- management: |-
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||||
index 0a0d76aeb23..1ff5a4d5f26 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||||
@@ -5,9 +5,10 @@ title: 'IOMMU configuration directive'
|
||||
description: |-
|
||||
On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some
|
||||
of the system critical units such as the memory.
|
||||
+ {{{ describe_grub2_argument("iommu=force") | indent(4) }}}
|
||||
|
||||
rationale: |-
|
||||
- On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by
|
||||
+ On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by
|
||||
hardware devices.
|
||||
|
||||
severity: unknown
|
||||
@@ -22,6 +23,12 @@ references:
|
||||
|
||||
platform: machine
|
||||
|
||||
+ocil_clause: 'I/OMMU is not activated'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_grub2_argument("iommu=force") | indent(4) }}}
|
||||
+
|
||||
+
|
||||
warnings:
|
||||
- functionality:
|
||||
Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities.
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||||
index a9253c74cc6..3bb645dadb7 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||||
@@ -6,12 +6,8 @@ title: 'Configure kernel to zero out memory before allocation'
|
||||
|
||||
description: |-
|
||||
To configure the kernel to zero out memory before allocating it, add the
|
||||
- <tt>init_on_alloc=1</tt> argument to the default GRUB 2 command line for
|
||||
- the Linux operating system in <tt>/etc/default/grub</tt>, in the manner
|
||||
- below:
|
||||
- <pre>GRUB_CMDLINE_LINUX="crashkernel=auto quiet rd.shell=0 audit=1 audit_backlog_limit=8192 init_on_alloc=1"</pre>
|
||||
- Update the boot parameter for existing kernels by running the following command:
|
||||
- <pre># grubby --update-kernel=ALL --args="init_on_alloc=1"</pre>
|
||||
+ <tt>init_on_alloc=1</tt> argument to the default GRUB 2 command line.
|
||||
+ {{{ describe_grub2_argument("init_on_alloc=1") | indent(4) }}}
|
||||
|
||||
rationale: |-
|
||||
When the kernel configuration option <tt>init_on_alloc</tt> is enabled,
|
||||
@@ -27,15 +23,7 @@ identifiers:
|
||||
ocil_clause: 'the kernel is not configured to zero out memory before allocation'
|
||||
|
||||
ocil: |-
|
||||
- Make sure that the kernel is configured to zero out memory before
|
||||
- allocation. Ensure that the parameter is configured in
|
||||
- <tt>/etc/default/grub</tt>:
|
||||
- <pre>grep GRUB_CMDLINE_LINUX /etc/default/grub</pre>
|
||||
- The output should contain <tt>init_on_alloc=1</tt>.
|
||||
- Run the following command to display command line parameters of all
|
||||
- installed kernels:
|
||||
- <pre># grubby --info=ALL | grep args</pre>
|
||||
- Ensure that each line contains the <tt>init_on_alloc=1</tt> parameter.
|
||||
+ {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}}
|
||||
|
||||
platform: machine
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||||
index 308ae9cb735..d6bfc02f345 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||||
@@ -11,8 +11,8 @@ description: |-
|
||||
<tt>Y</tt>, make sure that it is not overridden with the boot parameter.
|
||||
There must not exist the boot parameter <tt>random.trust_cpu=off</tt>. If
|
||||
the option is not compiled in, make sure that <tt>random.trust_cpu=on</tt>
|
||||
- is configured as a boot parameter by running the following command:
|
||||
- <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) random.trust_cpu=on"</pre>
|
||||
+ is configured as a boot parameter.
|
||||
+ {{{ describe_grub2_argument("random.trust_cpu=on") | indent(4) }}}
|
||||
|
||||
rationale: |-
|
||||
The Linux kernel offers an option which signifies if the kernel should trust
|
||||
@@ -44,11 +44,8 @@ ocil: |-
|
||||
option is not overridden through a boot parameter:
|
||||
<pre>sudo grep 'kernelopts.*random\.trust_cpu=off.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||||
The command should not return any output. If the option is not compiled into
|
||||
- the kernel, check that the option is configured through boot parameter with
|
||||
- the following command:
|
||||
- <pre>sudo grep 'kernelopts.*random\.trust_cpu=on.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||||
- If the command does not return any output, then the boot parameter is
|
||||
- missing.
|
||||
+ the kernel, check that the option is configured through boot parameter.
|
||||
+ {{{ ocil_grub2_argument("random.trust_cpu=on") | indent(4) }}}
|
||||
|
||||
platform: machine
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
index f4f3fa39510..51b0a284746 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
@@ -7,9 +7,8 @@ title: 'Enable Kernel Page-Table Isolation (KPTI)'
|
||||
description: |-
|
||||
To enable Kernel page-table isolation,
|
||||
add the argument <tt>pti=on</tt> to the default
|
||||
- GRUB 2 command line for the Linux operating system in
|
||||
- <tt>/etc/default/grub</tt>, in the manner below:
|
||||
- <pre>GRUB_CMDLINE_LINUX="pti=on"</pre>
|
||||
+ GRUB 2 command line for the Linux operating system.
|
||||
+ {{{ describe_grub2_argument("pti=on") | indent(4) }}}
|
||||
|
||||
rationale: |-
|
||||
Kernel page-table isolation is a kernel feature that mitigates
|
||||
@@ -33,15 +32,7 @@ references:
|
||||
ocil_clause: 'Kernel page-table isolation is not enabled'
|
||||
|
||||
ocil: |-
|
||||
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
- in <tt>/etc/default/grub</tt>. If they include <tt>pti=on</tt>,
|
||||
- then Kernel page-table isolation is enabled at boot time.
|
||||
- <br /><br />
|
||||
- To ensure <tt>pti=on</tt> is configured on all installed kernels, the
|
||||
- following command may be used:
|
||||
- <br />
|
||||
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="pti=on</pre>
|
||||
- <br />
|
||||
+ {{{ ocil_grub2_argument("pti=on") | indent(4) }}}
|
||||
|
||||
warnings:
|
||||
- management: |-
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
index 9f38a1c13b9..1b88d13bd3c 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
@@ -7,9 +7,8 @@ title: 'Disable vsyscalls'
|
||||
description: |-
|
||||
To disable use of virtual syscalls,
|
||||
add the argument <tt>vsyscall=none</tt> to the default
|
||||
- GRUB 2 command line for the Linux operating system in
|
||||
- <tt>/etc/default/grub</tt>, in the manner below:
|
||||
- <pre>GRUB_CMDLINE_LINUX="vsyscall=none"</pre>
|
||||
+ GRUB 2 command line for the Linux operating system.
|
||||
+ {{{ describe_grub2_argument("vsyscall=none") | indent(4) }}}
|
||||
|
||||
rationale: |-
|
||||
Virtual Syscalls provide an opportunity of attack for a user who has control
|
||||
@@ -33,15 +32,7 @@ references:
|
||||
ocil_clause: 'vsyscalls are enabled'
|
||||
|
||||
ocil: |-
|
||||
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
- in <tt>/etc/default/grub</tt>. If they include <tt>vsyscall=none</tt>,
|
||||
- then virtyal syscalls are not enabled at boot time.
|
||||
- <br /><br />
|
||||
- To ensure <tt>vsyscall=none</tt> is configured on all installed kernels, the
|
||||
- following command may be used:
|
||||
- <br />
|
||||
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none</pre>
|
||||
- <br />
|
||||
+ {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
|
||||
|
||||
warnings:
|
||||
- management: |-
|
||||
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||||
index b8ff66c7d6e..c0fda343a1a 100644
|
||||
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||||
@@ -7,20 +7,8 @@ title: 'Ensure IPv6 is disabled through kernel boot parameter'
|
||||
description: |-
|
||||
To disable IPv6 protocol support in the Linux kernel,
|
||||
add the argument <tt>ipv6.disable=1</tt> to the default
|
||||
- GRUB2 command line for the Linux operating system in
|
||||
-{{% if product in ["rhel7", "ol7"] %}}
|
||||
- <tt>/etc/default/grub</tt>, so that the line looks similar to
|
||||
- <pre>GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."</pre>
|
||||
- In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
|
||||
- Run one of following command to ensure that the configuration is applied when booting currently installed kernels:
|
||||
- <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
|
||||
- or
|
||||
- <pre>sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
|
||||
-{{% else %}}
|
||||
- <tt>{{{ grub2_boot_path }}}/grubenv</tt>, in the manner below:
|
||||
- <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
|
||||
-{{% endif %}}
|
||||
-
|
||||
+ GRUB2 command line for the Linux operating system.
|
||||
+ {{{ describe_grub2_argument("ipv6.disable=1") | indent(4) }}}
|
||||
|
||||
rationale: |-
|
||||
Any unnecessary network stacks, including IPv6, should be disabled to reduce
|
||||
@@ -40,34 +28,7 @@ references:
|
||||
ocil_clause: 'IPv6 is not disabled'
|
||||
|
||||
ocil: |-
|
||||
- {{% if product in ["rhel7", "ol7"] %}}
|
||||
- Inspect the form of default GRUB2 command line for the Linux operating system
|
||||
- in <tt>/etc/default/grub</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
|
||||
- First check if the GRUB recovery is enabled:
|
||||
- <pre>grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
|
||||
- If this option is set to true, then check that the following line is output by the following command:
|
||||
- <pre>grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub</pre>
|
||||
- If the recovery is disabled, check the line with
|
||||
- <pre>grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub</pre>.
|
||||
- Moreover, current GRUB2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
||||
- <pre>sudo grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v 'ipv6.disable=1'</pre>
|
||||
- This command should not return any output. If it does, update the configuration with one of following commands:
|
||||
- <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
|
||||
- or
|
||||
- <pre>sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
|
||||
- <br />
|
||||
-{{% else %}}
|
||||
- Inspect the form of default GRUB2 command line for the Linux operating system
|
||||
- in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
|
||||
- <pre>sudo grep 'kernelopts.*ipv6.disable=1.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||||
- <br /><br />
|
||||
- To ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
|
||||
- following command may be used:
|
||||
- <br />
|
||||
- <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
|
||||
- <br />
|
||||
-{{% endif %}}
|
||||
-
|
||||
+ {{{ ocil_grub2_argument("ipv6.disable=1") | indent(4) }}}
|
||||
|
||||
warnings:
|
||||
- management: |-
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
index 3bf592fb4d8..1f4e183d9e7 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
@@ -7,9 +7,8 @@ title: 'Enable page allocator poisoning'
|
||||
description: |-
|
||||
To enable poisoning of free pages,
|
||||
add the argument <tt>page_poison=1</tt> to the default
|
||||
- GRUB 2 command line for the Linux operating system in
|
||||
- <tt>/etc/default/grub</tt>, in the manner below:
|
||||
- <pre>GRUB_CMDLINE_LINUX="page_poison=1"</pre>
|
||||
+ GRUB 2 command line for the Linux operating system.
|
||||
+ {{{ describe_grub2_argument("page_poison=1") | indent(4) }}}
|
||||
|
||||
rationale: |-
|
||||
Poisoning writes an arbitrary value to freed pages, so any modification or
|
||||
@@ -35,15 +34,7 @@ references:
|
||||
ocil_clause: 'page allocator poisoning is not enabled'
|
||||
|
||||
ocil: |-
|
||||
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
- in <tt>/etc/default/grub</tt>. If they include <tt>page_poison=1</tt>,
|
||||
- then page poisoning is enabled at boot time.
|
||||
- <br /><br />
|
||||
- To ensure <tt>page_poison=1</tt> is configured on all installed kernels, the
|
||||
- following command may be used:
|
||||
- <br />
|
||||
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1</pre>
|
||||
- <br />
|
||||
+ {{{ ocil_grub2_argument("page_poison=1") | indent(4) }}}
|
||||
|
||||
warnings:
|
||||
- management: |-
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
index 9964399650a..bb5dbc6c125 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
@@ -7,9 +7,8 @@ title: 'Enable SLUB/SLAB allocator poisoning'
|
||||
description: |-
|
||||
To enable poisoning of SLUB/SLAB objects,
|
||||
add the argument <tt>slub_debug=P</tt> to the default
|
||||
- GRUB 2 command line for the Linux operating system in
|
||||
- <tt>/etc/default/grub</tt>, in the manner below:
|
||||
- <pre>GRUB_CMDLINE_LINUX="slub_debug=P"</pre>
|
||||
+ GRUB 2 command line for the Linux operating system.
|
||||
+ {{{ describe_grub2_argument("slub_debug=P") | indent(4) }}}
|
||||
|
||||
rationale: |-
|
||||
Poisoning writes an arbitrary value to freed objects, so any modification or
|
||||
@@ -35,15 +34,7 @@ references:
|
||||
ocil_clause: 'SLUB/SLAB poisoning is not enabled'
|
||||
|
||||
ocil: |-
|
||||
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
- in <tt>/etc/default/grub</tt>. If they include <tt>slub_debug=P</tt>,
|
||||
- then SLUB/SLAB poisoning is enabled at boot time.
|
||||
- <br /><br />
|
||||
- To ensure <tt>slub_debug=P</tt> is configured on all installed kernels, the
|
||||
- following command may be used:
|
||||
- <br />
|
||||
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P</pre>
|
||||
- <br />
|
||||
+ {{{ ocil_grub2_argument("slub_debug=P") | indent(4) }}}
|
||||
|
||||
warnings:
|
||||
- management: |-
|
||||
|
||||
From 5c39cf81d49f0eb5bb73337057fb95356784e5c6 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 9 Feb 2022 16:05:59 +0100
|
||||
Subject: [PATCH 5/8] fix an error in ubuntu version of macro
|
||||
|
||||
---
|
||||
shared/macros.jinja | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
||||
index 16a0404b668..54d2b299a47 100644
|
||||
--- a/shared/macros.jinja
|
||||
+++ b/shared/macros.jinja
|
||||
@@ -1660,7 +1660,7 @@ If this option is set to true, then check that a line is output by the following
|
||||
If the recovery is disabled, check the line with
|
||||
<pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
|
||||
{{%- if 'ubuntu' in product -%}}
|
||||
-Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
||||
+Moreover, current Grub2 config file in <tt>{{{ grub2_boot_path }}}/grub.cfg</tt> must be checked.
|
||||
<pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
|
||||
This command should not return any output.
|
||||
{{%- else -%}}
|
||||
|
||||
From f100d190833d168127715215e788347f806736f3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 9 Feb 2022 16:16:21 +0100
|
||||
Subject: [PATCH 6/8] remove warnings from rules
|
||||
|
||||
they are no longer relevant, we do not use grub2-mkconfig anymore
|
||||
---
|
||||
.../auditing/grub2_audit_argument/rule.yml | 18 ------------------
|
||||
.../rule.yml | 18 ------------------
|
||||
.../grub2_pti_argument/rule.yml | 18 ------------------
|
||||
.../grub2_vsyscall_argument/rule.yml | 18 ------------------
|
||||
.../grub2_ipv6_disable_argument/rule.yml | 18 ------------------
|
||||
.../grub2_page_poison_argument/rule.yml | 18 ------------------
|
||||
.../grub2_slub_debug_argument/rule.yml | 18 ------------------
|
||||
7 files changed, 126 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||||
index aff0521ee73..00a4ded2738 100644
|
||||
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||||
@@ -54,24 +54,6 @@ ocil_clause: 'auditing is not enabled at boot time'
|
||||
ocil: |-
|
||||
{{{ ocil_grub2_argument("audit=1") | indent(4) }}}
|
||||
|
||||
-warnings:
|
||||
- - management: |-
|
||||
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||||
- is automatically updated each time a new kernel is installed. Note that any
|
||||
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||||
- file. To update the GRUB 2 configuration file manually, use the
|
||||
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||||
- <ul>
|
||||
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||||
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||||
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||||
-{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||||
-{{% else %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||||
-{{% endif %}}
|
||||
- </ul>
|
||||
-
|
||||
platform: grub2
|
||||
|
||||
template:
|
||||
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
index 868d525014f..efbc3dae1c1 100644
|
||||
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
@@ -41,24 +41,6 @@ ocil_clause: 'audit backlog limit is not configured'
|
||||
ocil: |-
|
||||
{{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
|
||||
|
||||
-warnings:
|
||||
- - management: |-
|
||||
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||||
- is automatically updated each time a new kernel is installed. Note that any
|
||||
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||||
- file. To update the GRUB 2 configuration file manually, use the
|
||||
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||||
- <ul>
|
||||
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||||
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||||
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||||
-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||||
-{{% else %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||||
-{{% endif %}}
|
||||
- </ul>
|
||||
-
|
||||
platform: grub2
|
||||
|
||||
template:
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
index 51b0a284746..52a308e3247 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
@@ -34,24 +34,6 @@ ocil_clause: 'Kernel page-table isolation is not enabled'
|
||||
ocil: |-
|
||||
{{{ ocil_grub2_argument("pti=on") | indent(4) }}}
|
||||
|
||||
-warnings:
|
||||
- - management: |-
|
||||
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||||
- is automatically updated each time a new kernel is installed. Note that any
|
||||
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||||
- file. To update the GRUB 2 configuration file manually, use the
|
||||
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||||
- <ul>
|
||||
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||||
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||||
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||||
-{{% if product in ["rhel8", "ol8"] %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||||
-{{% else %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||||
-{{% endif %}}
|
||||
- </ul>
|
||||
-
|
||||
platform: machine
|
||||
|
||||
template:
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
index 1b88d13bd3c..93eb31dad7b 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
@@ -34,24 +34,6 @@ ocil_clause: 'vsyscalls are enabled'
|
||||
ocil: |-
|
||||
{{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
|
||||
|
||||
-warnings:
|
||||
- - management: |-
|
||||
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||||
- is automatically updated each time a new kernel is installed. Note that any
|
||||
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||||
- file. To update the GRUB 2 configuration file manually, use the
|
||||
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||||
- <ul>
|
||||
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||||
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||||
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||||
-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||||
-{{% else %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||||
-{{% endif %}}
|
||||
- </ul>
|
||||
-
|
||||
platform: machine
|
||||
|
||||
template:
|
||||
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||||
index c0fda343a1a..9e1ca48efe0 100644
|
||||
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||||
@@ -30,24 +30,6 @@ ocil_clause: 'IPv6 is not disabled'
|
||||
ocil: |-
|
||||
{{{ ocil_grub2_argument("ipv6.disable=1") | indent(4) }}}
|
||||
|
||||
-warnings:
|
||||
- - management: |-
|
||||
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||||
- is automatically updated each time a new kernel is installed. Note that any
|
||||
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||||
- file. To update the GRUB 2 configuration file manually, use the
|
||||
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||||
- <ul>
|
||||
- <li>On BIOS-based machines, issue the following command:
|
||||
- <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||||
- <li>On UEFI-based machines, issue the following command:
|
||||
-{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
|
||||
- <pre>sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||||
-{{% else %}}
|
||||
- <pre>sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||||
-{{% endif %}}
|
||||
- </ul>
|
||||
-
|
||||
platform: grub2
|
||||
|
||||
template:
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
index 1f4e183d9e7..1ad6c6b3c44 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
@@ -36,24 +36,6 @@ ocil_clause: 'page allocator poisoning is not enabled'
|
||||
ocil: |-
|
||||
{{{ ocil_grub2_argument("page_poison=1") | indent(4) }}}
|
||||
|
||||
-warnings:
|
||||
- - management: |-
|
||||
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||||
- is automatically updated each time a new kernel is installed. Note that any
|
||||
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||||
- file. To update the GRUB 2 configuration file manually, use the
|
||||
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||||
- <ul>
|
||||
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||||
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||||
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||||
-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||||
-{{% else %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||||
-{{% endif %}}
|
||||
- </ul>
|
||||
-
|
||||
platform: grub2
|
||||
|
||||
template:
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
index bb5dbc6c125..e40f5377c61 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
@@ -36,24 +36,6 @@ ocil_clause: 'SLUB/SLAB poisoning is not enabled'
|
||||
ocil: |-
|
||||
{{{ ocil_grub2_argument("slub_debug=P") | indent(4) }}}
|
||||
|
||||
-warnings:
|
||||
- - management: |-
|
||||
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||||
- is automatically updated each time a new kernel is installed. Note that any
|
||||
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||||
- file. To update the GRUB 2 configuration file manually, use the
|
||||
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||||
- <ul>
|
||||
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||||
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||||
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||||
-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||||
-{{% else %}}
|
||||
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||||
-{{% endif %}}
|
||||
- </ul>
|
||||
-
|
||||
platform: grub2
|
||||
|
||||
template:
|
||||
|
||||
From bbc3cc093004efd0457ccb33722a4fb14b0b2fb8 Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Mon, 14 Feb 2022 14:29:15 +0100
|
||||
Subject: [PATCH 7/8] Update shared/macros.jinja
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Co-authored-by: Matěj Týč <matej.tyc@gmail.com>
|
||||
---
|
||||
shared/macros.jinja | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
||||
index 54d2b299a47..392181e2b24 100644
|
||||
--- a/shared/macros.jinja
|
||||
+++ b/shared/macros.jinja
|
||||
@@ -1671,7 +1671,12 @@ The command should not return any output.
|
||||
{{%- endif -%}}
|
||||
{{%- else -%}}
|
||||
Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
-in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
|
||||
+{{% if grub2_boot_path == grub2_uefi_boot_path or not grub2_uefi_boot_path -%}}
|
||||
+in <tt>{{{ grub2_boot_path }}}/grubenv</tt>.
|
||||
+{{%- else -%}}
|
||||
+in <tt>grubenv</tt> that can be found either in <tt>{{{ grub2_boot_path }}}</tt> in case of legacy BIOS systems, or in <tt>{{{ grub2_uefi_boot_path }}}</tt> in case of UEFI systems.
|
||||
+{{%- endif %}}
|
||||
+If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
|
||||
is configured at boot time.
|
||||
<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||||
{{%- endif -%}}
|
||||
|
||||
From 8121376668b43d21cf0f9700994bc011c3e313d7 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 15:17:33 +0100
|
||||
Subject: [PATCH 8/8] more modifications to description and ocil
|
||||
|
||||
final touches
|
||||
---
|
||||
shared/macros.jinja | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
||||
index 392181e2b24..a89bac12f53 100644
|
||||
--- a/shared/macros.jinja
|
||||
+++ b/shared/macros.jinja
|
||||
@@ -1626,7 +1626,7 @@ The audit daemon must be restarted for the changes to take effect.
|
||||
The parameter should be in form `parameter=value`.
|
||||
#}}
|
||||
{{%- macro describe_grub2_argument(arg_name_value) -%}}
|
||||
-{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
|
||||
+{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product -%}}
|
||||
To ensure that <tt>{{{ arg_name_value }}}</tt> is added as a kernel command line
|
||||
argument to newly installed kernels, ad <tt>{{{ arg_name_value }}}</tt> to the
|
||||
default Grub2 command line for Linux operating systems. Modify the line within
|
||||
@@ -1649,7 +1649,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
|
||||
The parameter should have form `parameter=value`.
|
||||
#}}
|
||||
{{%- macro ocil_grub2_argument(arg_name_value) -%}}
|
||||
-{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
|
||||
+{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product -%}}
|
||||
Inspect the form of default GRUB 2 command line for the Linux operating system
|
||||
in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
|
||||
then the parameter will be configured for newly installed kernels.
|
||||
@@ -1660,8 +1660,12 @@ If this option is set to true, then check that a line is output by the following
|
||||
If the recovery is disabled, check the line with
|
||||
<pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
|
||||
{{%- if 'ubuntu' in product -%}}
|
||||
-Moreover, current Grub2 config file in <tt>{{{ grub2_boot_path }}}/grub.cfg</tt> must be checked.
|
||||
-<pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
|
||||
+Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found
|
||||
+either in <tt>{{{ grub2_boot_path }}}</tt> in case of legacy BIOS systems, or in <tt>{{{ grub2_uefi_boot_path }}}</tt> in case of UEFI systems.
|
||||
+If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
|
||||
+is configured at boot time.
|
||||
+<pre># grep vmlinuz GRUB_CFG_FILE_PATH | grep -v '{{{ arg_name_value }}}'</pre>
|
||||
+Fill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.
|
||||
This command should not return any output.
|
||||
{{%- else -%}}
|
||||
Moreover, command line parameters for currently installed kernels should be checked as well.
|
||||
@@ -1678,6 +1682,7 @@ in <tt>grubenv</tt> that can be found either in <tt>{{{ grub2_boot_path }}}</tt>
|
||||
{{%- endif %}}
|
||||
If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
|
||||
is configured at boot time.
|
||||
-<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||||
+<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' GRUBENV_FILE_LOCATION</pre>
|
||||
+Fill in <tt>GRUBENV_FILE_LOCATION</tt> based on information above.
|
||||
{{%- endif -%}}
|
||||
{{%- endmacro -%}}
|
@ -1,842 +0,0 @@
|
||||
From 1bd88bbdc7ce8b6e2265f323cd3a777ef2240e6b Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Fri, 28 Jan 2022 17:11:56 +0100
|
||||
Subject: [PATCH 1/5] Change the grub2 bootloader argument template
|
||||
|
||||
- Introduce the concept of product-specific bootloader config
|
||||
properties that determine the check/remediation form.
|
||||
- Expand the RHEL8 remediation with a check for update of
|
||||
/etc/default/grub contents.
|
||||
- Add a RHEL8 check that looks for kernelopts references in loader entries.
|
||||
- Update tests.
|
||||
---
|
||||
.../grub2_entries_reference_kernelopts.xml | 25 +++++
|
||||
.../ansible.template | 35 ++++++-
|
||||
.../grub2_bootloader_argument/bash.template | 48 +++++++--
|
||||
.../grub2_bootloader_argument/oval.template | 97 +++++++++++++------
|
||||
.../arg_not_there_etcdefaultgrub.fail.sh | 2 +-
|
||||
....fail.sh => arg_not_there_grubenv.fail.sh} | 0
|
||||
6 files changed, 164 insertions(+), 43 deletions(-)
|
||||
create mode 100644 shared/checks/oval/grub2_entries_reference_kernelopts.xml
|
||||
rename shared/templates/grub2_bootloader_argument/tests/{arg_not_there.fail.sh => arg_not_there_grubenv.fail.sh} (100%)
|
||||
|
||||
diff --git a/shared/checks/oval/grub2_entries_reference_kernelopts.xml b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
|
||||
new file mode 100644
|
||||
index 00000000000..1aec9fe64d2
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
|
||||
@@ -0,0 +1,25 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="grub2_entries_reference_kernelopts" version="2">
|
||||
+ {{{ oval_metadata(
|
||||
+ "Ensure that grubenv-defined kernel options are referenced in individual boot loader entries",
|
||||
+ title="Use $kernelopts in /boot/loader/entries/*.conf",
|
||||
+ affected_platforms=["multi_platform_all"]) }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion test_ref="test_grub2_entries_reference_kernelopts"
|
||||
+ comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable." />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_grub2_entries_reference_kernelopts"
|
||||
+ comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable."
|
||||
+ check="all" check_existence="all_exist" version="1">
|
||||
+ <ind:object object_ref="object_grub2_entries_reference_kernelopts" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_grub2_entries_reference_kernelopts" version="1">
|
||||
+ <ind:path>/boot/loader/entries/</ind:path>
|
||||
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||
+ <ind:pattern operation="pattern match">^options .*\b\$kernelopts\b.*$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+</def-group>
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template
|
||||
index 58d4fab69fa..de970879c8f 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/ansible.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/ansible.template
|
||||
@@ -4,7 +4,34 @@
|
||||
# complexity = medium
|
||||
# disruption = low
|
||||
|
||||
-{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
||||
+{{#
|
||||
+ See the OVAL template for more comments.
|
||||
+ Product-specific categorization should be synced across all template content types
|
||||
+-#}}
|
||||
+{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
|
||||
+{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
|
||||
+{{% set system_with_kernel_options_in_grubenv = false -%}}
|
||||
+{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
|
||||
+{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
|
||||
+
|
||||
+{{% if product in ["rhel9"] %}}
|
||||
+{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
|
||||
+{{% endif -%}}
|
||||
+
|
||||
+{{% if product in ["rhel8"] %}}
|
||||
+{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
|
||||
+{{% set system_with_kernel_options_in_grubenv = true %}}
|
||||
+{{% endif -%}}
|
||||
+
|
||||
+{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
|
||||
+{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
|
||||
+{{% endif -%}}
|
||||
+
|
||||
+{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
|
||||
+{{% set system_with_kernel_options_in_etc_default_grub = true %}}
|
||||
+{{% endif -%}}
|
||||
+
|
||||
+{{% if system_with_kernel_options_in_etc_default_grub -%}}
|
||||
- name: Check {{{ ARG_NAME }}} argument exists
|
||||
command: grep 'GRUB_CMDLINE_LINUX.*{{{ ARG_NAME }}}=' /etc/default/grub
|
||||
failed_when: False
|
||||
@@ -27,7 +54,9 @@
|
||||
- name: Update bootloader menu
|
||||
command: /sbin/grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
||||
|
||||
-{{% else %}}
|
||||
+{{%- endif %}}
|
||||
+
|
||||
+{{% if system_with_kernel_options_in_grubenv -%}}
|
||||
|
||||
- name: Get current kernel parameters
|
||||
ansible.builtin.shell:
|
||||
@@ -50,4 +79,4 @@
|
||||
when:
|
||||
- kernelopts.rc != 0
|
||||
|
||||
-{{% endif %}}
|
||||
+{{%- endif %}}
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
index 631e686897e..817fd1fde23 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/bash.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
@@ -1,6 +1,41 @@
|
||||
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
+{{#
|
||||
+ See the OVAL template for more comments.
|
||||
+ Product-specific categorization should be synced across all template content types
|
||||
+-#}}
|
||||
|
||||
-{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
||||
+{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
|
||||
+{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
|
||||
+{{% set system_with_kernel_options_in_grubenv = false -%}}
|
||||
+{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
|
||||
+{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
|
||||
+
|
||||
+{{% if product in ["rhel9"] %}}
|
||||
+{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
|
||||
+{{% endif -%}}
|
||||
+
|
||||
+{{% if product in ["rhel8"] %}}
|
||||
+{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
|
||||
+{{% set system_with_kernel_options_in_grubenv = true %}}
|
||||
+{{% endif -%}}
|
||||
+
|
||||
+{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
|
||||
+{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
|
||||
+{{% endif -%}}
|
||||
+
|
||||
+{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
|
||||
+{{% set system_with_kernel_options_in_etc_default_grub = true %}}
|
||||
+{{% endif -%}}
|
||||
+
|
||||
+{{% macro update_etc_default_grub(arg_name_value) %}}
|
||||
+{{% if 'ubuntu' in product %}}
|
||||
+update-grub
|
||||
+{{% else %}}
|
||||
+grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"
|
||||
+{{% endif %}}
|
||||
+{{% endmacro -%}}
|
||||
+
|
||||
+{{% if system_with_kernel_options_in_etc_default_grub %}}
|
||||
{{% if '/' in ARG_NAME %}}
|
||||
{{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
|
||||
{{% elif '/' in ARG_NAME_VALUE %}}
|
||||
@@ -14,14 +49,11 @@ else
|
||||
# no {{{ ARG_NAME }}}=arg is present, append it
|
||||
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/' '/etc/default/grub'
|
||||
fi
|
||||
-
|
||||
-{{% if 'ubuntu' in product %}}
|
||||
-update-grub
|
||||
-{{% else %}}
|
||||
-# Correct the form of kernel command line for each installed kernel in the bootloader
|
||||
-grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
||||
{{% endif %}}
|
||||
-{{% else %}}
|
||||
+
|
||||
+{{{ update_etc_default_grub(ARG_NAME_VALUE) }}}
|
||||
+
|
||||
+{{% if system_with_kernel_options_in_grubenv -%}}
|
||||
# Correct grub2 kernelopts value using grub2-editenv
|
||||
existing_kernelopts="$(grub2-editenv - list | grep kernelopts)"
|
||||
if ! printf '%s' "$existing_kernelopts" | grep -qE '^kernelopts=(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$'; then
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
|
||||
index 3ea8acb2910..24258a3bcbd 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/oval.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/oval.template
|
||||
@@ -1,15 +1,53 @@
|
||||
+{{#-
|
||||
+ We set defaults to "off", and products should enable relevant ones depending on how the product configures grub.
|
||||
+ - /boot/loader/entries/* may not exist don't exist
|
||||
+ - If they exist, they can reference variables defined in grubenv, or they can contain literal args
|
||||
+ - The grub cfg may either use those loader entries, or it can contain literal values as well
|
||||
+ - Kernel opts can be stored in /etc/default/grub so they are persistent between kernel upgrades
|
||||
+-#}}
|
||||
+{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
|
||||
+{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
|
||||
+{{% set system_with_kernel_options_in_grubenv = false -%}}
|
||||
+{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
|
||||
+{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
|
||||
+
|
||||
+{{% if product in ["rhel9"] -%}}
|
||||
+{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
|
||||
+{{%- endif -%}}
|
||||
+
|
||||
+{{% if product in ["rhel8"] -%}}
|
||||
+{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
|
||||
+{{% set system_with_kernel_options_in_grubenv = true %}}
|
||||
+{{%- endif -%}}
|
||||
+
|
||||
+{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product -%}}
|
||||
+{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
|
||||
+{{%- endif -%}}
|
||||
+
|
||||
+{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
|
||||
+{{% set system_with_kernel_options_in_etc_default_grub = true %}}
|
||||
+{{%- endif -%}}
|
||||
+
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
|
||||
{{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
|
||||
<criteria operator="AND">
|
||||
- {{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
||||
- {{% if product in ['rhel9'] %}}
|
||||
+ {{% if system_with_kernel_options_in_grubenv -%}}
|
||||
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
|
||||
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_boot_path }}}/grubenv" />
|
||||
+ {{%- endif %}}
|
||||
+ {{% if system_with_referenced_kernel_options_in_loader_entries -%}}
|
||||
+ <extend_definition comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable" definition_ref="grub2_entries_reference_kernelopts" />
|
||||
+ {{%- endif %}}
|
||||
+ {{% if system_with_expanded_kernel_options_in_loader_entries -%}}
|
||||
<criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
|
||||
comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/loader/entries/*.conf" />
|
||||
- {{% else %}}
|
||||
+ {{%- endif %}}
|
||||
+ {{% if system_with_expanded_kernel_options_in_grub_cfg -%}}
|
||||
<criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
|
||||
comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
|
||||
- {{% endif %}}
|
||||
+ {{%- endif %}}
|
||||
+ {{% if system_with_kernel_options_in_etc_default_grub -%}}
|
||||
<criteria operator="OR">
|
||||
<criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
|
||||
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX" />
|
||||
@@ -20,14 +58,11 @@
|
||||
comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
|
||||
</criteria>
|
||||
</criteria>
|
||||
- {{% else %}}
|
||||
- <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
|
||||
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_boot_path }}}/grubenv" />
|
||||
- {{% endif %}}
|
||||
+ {{%- endif %}}
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
-{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
||||
+{{%- if system_with_kernel_options_in_etc_default_grub %}}
|
||||
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
|
||||
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
|
||||
check="all" check_existence="all_exist" version="1">
|
||||
@@ -54,8 +89,25 @@
|
||||
<ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
+{{%- endif %}}
|
||||
+
|
||||
+{{%- if system_with_kernel_options_in_grubenv %}}
|
||||
+ <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
|
||||
+ comment="check for kernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grubenv for all kernels"
|
||||
+ check="all" check_existence="all_exist" version="1">
|
||||
+ <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env" />
|
||||
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
|
||||
- {{% if product in ["rhel9"] %}}
|
||||
+ <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
|
||||
+ version="1">
|
||||
+ <ind:filepath>{{{ grub2_boot_path }}}/grubenv</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+{{%- endif %}}
|
||||
+
|
||||
+{{%- if system_with_expanded_kernel_options_in_loader_entries %}}
|
||||
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
|
||||
comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} for all boot entries."
|
||||
check="all" check_existence="all_exist" version="1">
|
||||
@@ -69,7 +121,9 @@
|
||||
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
- {{% else %}}
|
||||
+{{%- endif %}}
|
||||
+
|
||||
+{{%- if system_with_expanded_kernel_options_in_grub_cfg %}}
|
||||
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
|
||||
comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grub.cfg for all kernels"
|
||||
check="all" check_existence="all_exist" version="1">
|
||||
@@ -87,26 +141,7 @@
|
||||
{{% endif %}}
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
-
|
||||
- {{% endif %}}
|
||||
-
|
||||
-{{% else %}}
|
||||
-
|
||||
- <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
|
||||
- comment="check forkernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grubenv for all kernels"
|
||||
- check="all" check_existence="all_exist" version="1">
|
||||
- <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env" />
|
||||
- <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
|
||||
- </ind:textfilecontent54_test>
|
||||
-
|
||||
- <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
|
||||
- version="1">
|
||||
- <ind:filepath>{{{ grub2_boot_path }}}/grubenv</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
|
||||
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
- </ind:textfilecontent54_object>
|
||||
-
|
||||
-{{% endif %}}
|
||||
+{{%- endif %}}
|
||||
|
||||
<ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
|
||||
version="1">
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
|
||||
index a56e6d09235..a270be45952 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
|
||||
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9
|
||||
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
|
||||
|
||||
# Removes argument from kernel command line in /etc/default/grub
|
||||
if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ARG_NAME}}}=.*"' '/etc/default/grub' ; then
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_grubenv.fail.sh
|
||||
similarity index 100%
|
||||
rename from shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh
|
||||
rename to shared/templates/grub2_bootloader_argument/tests/arg_not_there_grubenv.fail.sh
|
||||
|
||||
From 0d10bf751d5e1d7f024cd7301f8b02b38c0e3b9c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Wed, 9 Feb 2022 11:19:06 +0100
|
||||
Subject: [PATCH 2/5] Change the default product setting
|
||||
|
||||
Assume that every product stores kernel opts in the /etc/default/grub
|
||||
---
|
||||
shared/templates/grub2_bootloader_argument/ansible.template | 6 +-----
|
||||
shared/templates/grub2_bootloader_argument/bash.template | 6 +-----
|
||||
shared/templates/grub2_bootloader_argument/oval.template | 6 +-----
|
||||
3 files changed, 3 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template
|
||||
index de970879c8f..46de9b465c2 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/ansible.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/ansible.template
|
||||
@@ -11,7 +11,7 @@
|
||||
{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
|
||||
{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
|
||||
{{% set system_with_kernel_options_in_grubenv = false -%}}
|
||||
-{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
|
||||
+{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
|
||||
{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
|
||||
|
||||
{{% if product in ["rhel9"] %}}
|
||||
@@ -27,10 +27,6 @@
|
||||
{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
|
||||
{{% endif -%}}
|
||||
|
||||
-{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
|
||||
-{{% set system_with_kernel_options_in_etc_default_grub = true %}}
|
||||
-{{% endif -%}}
|
||||
-
|
||||
{{% if system_with_kernel_options_in_etc_default_grub -%}}
|
||||
- name: Check {{{ ARG_NAME }}} argument exists
|
||||
command: grep 'GRUB_CMDLINE_LINUX.*{{{ ARG_NAME }}}=' /etc/default/grub
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
index 817fd1fde23..b188d1e3689 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/bash.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
@@ -7,7 +7,7 @@
|
||||
{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
|
||||
{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
|
||||
{{% set system_with_kernel_options_in_grubenv = false -%}}
|
||||
-{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
|
||||
+{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
|
||||
{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
|
||||
|
||||
{{% if product in ["rhel9"] %}}
|
||||
@@ -23,10 +23,6 @@
|
||||
{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
|
||||
{{% endif -%}}
|
||||
|
||||
-{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
|
||||
-{{% set system_with_kernel_options_in_etc_default_grub = true %}}
|
||||
-{{% endif -%}}
|
||||
-
|
||||
{{% macro update_etc_default_grub(arg_name_value) %}}
|
||||
{{% if 'ubuntu' in product %}}
|
||||
update-grub
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
|
||||
index 24258a3bcbd..88fa7b7a3ee 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/oval.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/oval.template
|
||||
@@ -8,7 +8,7 @@
|
||||
{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
|
||||
{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
|
||||
{{% set system_with_kernel_options_in_grubenv = false -%}}
|
||||
-{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
|
||||
+{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
|
||||
{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
|
||||
|
||||
{{% if product in ["rhel9"] -%}}
|
||||
@@ -24,10 +24,6 @@
|
||||
{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
|
||||
{{%- endif -%}}
|
||||
|
||||
-{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
|
||||
-{{% set system_with_kernel_options_in_etc_default_grub = true %}}
|
||||
-{{%- endif -%}}
|
||||
-
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
|
||||
{{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
|
||||
|
||||
From fac0aeb351d7acab1112482d11a0be73df662496 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Fri, 11 Feb 2022 14:55:53 +0100
|
||||
Subject: [PATCH 3/5] Improve the template further
|
||||
|
||||
- Fix the $kernelopts regex - $ is not a word char.
|
||||
- Use grubby exclusively on RHEL systems and structure remediations differently than OVAL checks
|
||||
- Exclude the rescue.conf loader entry from checks, as it is not a boot entry for general use.
|
||||
---
|
||||
.../grub2_entries_reference_kernelopts.xml | 2 +-
|
||||
.../ansible.template | 72 +------------------
|
||||
.../grub2_bootloader_argument/bash.template | 67 +++++------------
|
||||
.../grub2_bootloader_argument/oval.template | 7 +-
|
||||
.../tests/invalid_rescue.pass.sh | 6 ++
|
||||
tests/test_rule_in_container.sh | 2 +-
|
||||
6 files changed, 33 insertions(+), 123 deletions(-)
|
||||
create mode 100644 shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
|
||||
|
||||
diff --git a/shared/checks/oval/grub2_entries_reference_kernelopts.xml b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
|
||||
index 1aec9fe64d2..30f3965a037 100644
|
||||
--- a/shared/checks/oval/grub2_entries_reference_kernelopts.xml
|
||||
+++ b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
|
||||
@@ -19,7 +19,7 @@
|
||||
<ind:textfilecontent54_object id="object_grub2_entries_reference_kernelopts" version="1">
|
||||
<ind:path>/boot/loader/entries/</ind:path>
|
||||
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||
- <ind:pattern operation="pattern match">^options .*\b\$kernelopts\b.*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^options(?:\s+.*)?\s+\$kernelopts\b.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
</def-group>
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template
|
||||
index 46de9b465c2..db3b4430d4b 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/ansible.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/ansible.template
|
||||
@@ -4,75 +4,5 @@
|
||||
# complexity = medium
|
||||
# disruption = low
|
||||
|
||||
-{{#
|
||||
- See the OVAL template for more comments.
|
||||
- Product-specific categorization should be synced across all template content types
|
||||
--#}}
|
||||
-{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
|
||||
-{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
|
||||
-{{% set system_with_kernel_options_in_grubenv = false -%}}
|
||||
-{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
|
||||
-{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
|
||||
-
|
||||
-{{% if product in ["rhel9"] %}}
|
||||
-{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
|
||||
-{{% endif -%}}
|
||||
-
|
||||
-{{% if product in ["rhel8"] %}}
|
||||
-{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
|
||||
-{{% set system_with_kernel_options_in_grubenv = true %}}
|
||||
-{{% endif -%}}
|
||||
-
|
||||
-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
|
||||
-{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
|
||||
-{{% endif -%}}
|
||||
-
|
||||
-{{% if system_with_kernel_options_in_etc_default_grub -%}}
|
||||
-- name: Check {{{ ARG_NAME }}} argument exists
|
||||
- command: grep 'GRUB_CMDLINE_LINUX.*{{{ ARG_NAME }}}=' /etc/default/grub
|
||||
- failed_when: False
|
||||
- register: argcheck
|
||||
-
|
||||
-- name: Replace existing {{{ ARG_NAME }}} argument
|
||||
- replace:
|
||||
- path: /etc/default/grub
|
||||
- regexp: '{{{ ARG_NAME }}}=\w+'
|
||||
- replace: '{{{ ARG_NAME_VALUE }}}'
|
||||
- when: argcheck.rc == 0
|
||||
-
|
||||
-- name: Add {{{ ARG_NAME }}} argument
|
||||
- replace:
|
||||
- path: /etc/default/grub
|
||||
- regexp: '(GRUB_CMDLINE_LINUX=.*)"'
|
||||
- replace: '\1 {{{ ARG_NAME_VALUE }}}"'
|
||||
- when: argcheck.rc != 0
|
||||
-
|
||||
-- name: Update bootloader menu
|
||||
+- name: Update grub defaults and the bootloader menu
|
||||
command: /sbin/grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
||||
-
|
||||
-{{%- endif %}}
|
||||
-
|
||||
-{{% if system_with_kernel_options_in_grubenv -%}}
|
||||
-
|
||||
-- name: Get current kernel parameters
|
||||
- ansible.builtin.shell:
|
||||
- cmd: '/usr/bin/grub2-editenv - list | grep "kernelopts="'
|
||||
- register: kernelopts
|
||||
- ignore_errors: yes
|
||||
- changed_when: False
|
||||
-
|
||||
-- name: Update the bootloader menu
|
||||
- command: /usr/bin/grub2-editenv - set "{{ item }} {{{ ARG_NAME_VALUE }}}"
|
||||
- with_items: "{{ kernelopts.stdout_lines | select('match', '^kernelopts.*') | list }}"
|
||||
- when:
|
||||
- - kernelopts.rc == 0
|
||||
- - kernelopts.stdout_lines is defined
|
||||
- - kernelopts.stdout_lines | length > 0
|
||||
- - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?{{{ ARG_NAME_VALUE }}}(?:\s.*)?$', multiline=True) is none
|
||||
-
|
||||
-- name: Update the bootloader menu when there are no entries previously set
|
||||
- command: /usr/bin/grub2-editenv - set "kernelopts={{{ ARG_NAME_VALUE }}}"
|
||||
- when:
|
||||
- - kernelopts.rc != 0
|
||||
-
|
||||
-{{%- endif %}}
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
index b188d1e3689..5f97efd498f 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/bash.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
@@ -4,59 +4,28 @@
|
||||
Product-specific categorization should be synced across all template content types
|
||||
-#}}
|
||||
|
||||
-{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
|
||||
-{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
|
||||
-{{% set system_with_kernel_options_in_grubenv = false -%}}
|
||||
-{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
|
||||
-{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
|
||||
+{{% set grub_helper_executable = "grubby" -%}}
|
||||
+{{% set grub_helper_args = ["--update-kernel=ALL", "--args=" ~ ARG_NAME_VALUE] -%}}
|
||||
|
||||
-{{% if product in ["rhel9"] %}}
|
||||
-{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
|
||||
-{{% endif -%}}
|
||||
-
|
||||
-{{% if product in ["rhel8"] %}}
|
||||
-{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
|
||||
-{{% set system_with_kernel_options_in_grubenv = true %}}
|
||||
-{{% endif -%}}
|
||||
-
|
||||
-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
|
||||
-{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
|
||||
-{{% endif -%}}
|
||||
-
|
||||
-{{% macro update_etc_default_grub(arg_name_value) %}}
|
||||
-{{% if 'ubuntu' in product %}}
|
||||
-update-grub
|
||||
-{{% else %}}
|
||||
-grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"
|
||||
-{{% endif %}}
|
||||
-{{% endmacro -%}}
|
||||
-
|
||||
-{{% if system_with_kernel_options_in_etc_default_grub %}}
|
||||
-{{% if '/' in ARG_NAME %}}
|
||||
-{{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
|
||||
-{{% elif '/' in ARG_NAME_VALUE %}}
|
||||
-{{{ raise("ARG_NAME_VALUE (" + ARG_NAME_VALUE + ") uses sed path separator (/) in " + rule_id) }}}
|
||||
-{{% endif %}}
|
||||
+{{%- macro update_etc_default_grub_manually() -%}}
|
||||
# Correct the form of default kernel command line in GRUB
|
||||
if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ ARG_NAME }}}=.*"' '/etc/default/grub' ; then
|
||||
- # modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
|
||||
- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/' '/etc/default/grub'
|
||||
+ # modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
|
||||
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/' '/etc/default/grub'
|
||||
else
|
||||
- # no {{{ ARG_NAME }}}=arg is present, append it
|
||||
- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/' '/etc/default/grub'
|
||||
+ # no {{{ ARG_NAME }}}=arg is present, append it
|
||||
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/' '/etc/default/grub'
|
||||
fi
|
||||
-{{% endif %}}
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
+{{% if 'ubuntu' in product %}}
|
||||
+{{{ update_etc_default_grub_manually() }}}
|
||||
+{{% set grub_helper_executable = "update-grub" -%}}
|
||||
+{{% endif -%}}
|
||||
|
||||
-{{{ update_etc_default_grub(ARG_NAME_VALUE) }}}
|
||||
+{{% if product in ["rhel8", "ol8"] %}}
|
||||
+{{# Suppress the None output of append -#}}
|
||||
+{{{ grub_helper_args.append("--env=/boot/grub2/grubenv") or "" -}}}
|
||||
+{{% endif -%}}
|
||||
|
||||
-{{% if system_with_kernel_options_in_grubenv -%}}
|
||||
-# Correct grub2 kernelopts value using grub2-editenv
|
||||
-existing_kernelopts="$(grub2-editenv - list | grep kernelopts)"
|
||||
-if ! printf '%s' "$existing_kernelopts" | grep -qE '^kernelopts=(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$'; then
|
||||
- if test -n "$existing_kernelopts"; then
|
||||
- grub2-editenv - set "$existing_kernelopts {{{ ARG_NAME_VALUE }}}"
|
||||
- else
|
||||
- grub2-editenv - set "kernelopts={{{ ARG_NAME_VALUE }}}"
|
||||
- fi
|
||||
-fi
|
||||
-{{% endif %}}
|
||||
+{{{ grub_helper_executable }}} {{{ " ".join(grub_helper_args) }}}
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
|
||||
index 88fa7b7a3ee..6981cc14045 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/oval.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/oval.template
|
||||
@@ -1,6 +1,6 @@
|
||||
{{#-
|
||||
We set defaults to "off", and products should enable relevant ones depending on how the product configures grub.
|
||||
- - /boot/loader/entries/* may not exist don't exist
|
||||
+ - /boot/loader/entries/* may not exist.
|
||||
- If they exist, they can reference variables defined in grubenv, or they can contain literal args
|
||||
- The grub cfg may either use those loader entries, or it can contain literal values as well
|
||||
- Kernel opts can be stored in /etc/default/grub so they are persistent between kernel upgrades
|
||||
@@ -116,7 +116,12 @@
|
||||
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <filter action="exclude">state_grub2_rescue_entry_for_{{{ _RULE_ID }}}</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_state id="state_grub2_rescue_entry_for_{{{ _RULE_ID }}}" version="1">
|
||||
+ <ind:filename>rescue.conf</ind:filename>
|
||||
+ </ind:textfilecontent54_state>
|
||||
{{%- endif %}}
|
||||
|
||||
{{%- if system_with_expanded_kernel_options_in_grub_cfg %}}
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ee6e2c67f34
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9
|
||||
+# packages = grub2,grubby
|
||||
+
|
||||
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
|
||||
+
|
||||
+echo "I am an invalid boot entry, but nobody should care, because I am rescue" > /boot/loader/entries/trololol-rescue.conf
|
||||
diff --git a/tests/test_rule_in_container.sh b/tests/test_rule_in_container.sh
|
||||
index 395fc4e856c..a8691ca7463 100755
|
||||
--- a/tests/test_rule_in_container.sh
|
||||
+++ b/tests/test_rule_in_container.sh
|
||||
@@ -221,7 +221,7 @@ additional_args=()
|
||||
test "$_arg_dontclean" = on && additional_args+=(--dontclean)
|
||||
|
||||
# Don't act on the default value.
|
||||
-test -n "$_arg_scenarios" && additional_args+=(--scenario "'$_arg_scenarios'")
|
||||
+test -n "$_arg_scenarios" && additional_args+=(--scenario "$_arg_scenarios")
|
||||
|
||||
test -n "$_arg_datastream" && additional_args+=(--datastream "$_arg_datastream")
|
||||
|
||||
|
||||
From 8dda6030dea885c7c7e7e8f1024f5f2edf5bc36c Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 13:45:09 +0100
|
||||
Subject: [PATCH 4/5] Add support for checks of both BIOS/UEFI systems
|
||||
|
||||
---
|
||||
.../grub2_bootloader_argument/oval.template | 57 +++++++++++++++----
|
||||
1 file changed, 46 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
|
||||
index 6981cc14045..71367465663 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/oval.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/oval.template
|
||||
@@ -10,6 +10,7 @@
|
||||
{{% set system_with_kernel_options_in_grubenv = false -%}}
|
||||
{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
|
||||
{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
|
||||
+{{% set system_with_bios_and_uefi_support = false -%}}
|
||||
|
||||
{{% if product in ["rhel9"] -%}}
|
||||
{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
|
||||
@@ -24,13 +25,25 @@
|
||||
{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
|
||||
{{%- endif -%}}
|
||||
|
||||
+{{% if grub2_uefi_boot_path and grub2_uefi_boot_path != grub2_boot_path -%}}
|
||||
+{{% set system_with_bios_and_uefi_support = true %}}
|
||||
+{{%- endif -%}}
|
||||
+
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
|
||||
{{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
|
||||
<criteria operator="AND">
|
||||
{{% if system_with_kernel_options_in_grubenv -%}}
|
||||
+ {{% if system_with_bios_and_uefi_support -%}}
|
||||
+ <criteria operator="OR">
|
||||
+ {{%- endif %}}
|
||||
<criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
|
||||
comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_boot_path }}}/grubenv" />
|
||||
+ {{% if system_with_bios_and_uefi_support -%}}
|
||||
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env_uefi"
|
||||
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_uefi_boot_path }}}/grubenv" />
|
||||
+ </criteria>
|
||||
+ {{%- endif %}}
|
||||
{{%- endif %}}
|
||||
{{% if system_with_referenced_kernel_options_in_loader_entries -%}}
|
||||
<extend_definition comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable" definition_ref="grub2_entries_reference_kernelopts" />
|
||||
@@ -40,8 +53,16 @@
|
||||
comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/loader/entries/*.conf" />
|
||||
{{%- endif %}}
|
||||
{{% if system_with_expanded_kernel_options_in_grub_cfg -%}}
|
||||
+ {{% if system_with_bios_and_uefi_support -%}}
|
||||
+ <criteria operator="OR">
|
||||
+ {{%- endif %}}
|
||||
<criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
|
||||
comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
|
||||
+ {{% if system_with_bios_and_uefi_support -%}}
|
||||
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg_uefi"
|
||||
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_uefi_boot_path }}}/grub.cfg for all kernels" />
|
||||
+ </criteria>
|
||||
+ {{%- endif %}}
|
||||
{{%- endif %}}
|
||||
{{% if system_with_kernel_options_in_etc_default_grub -%}}
|
||||
<criteria operator="OR">
|
||||
@@ -88,19 +109,26 @@
|
||||
{{%- endif %}}
|
||||
|
||||
{{%- if system_with_kernel_options_in_grubenv %}}
|
||||
- <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
|
||||
- comment="check for kernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grubenv for all kernels"
|
||||
+{{%- macro test_and_object_for_kernel_options_grub_env(base_name, path) %}}
|
||||
+ <ind:textfilecontent54_test id="test_{{{ base_name }}}"
|
||||
+ comment="check for kernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ path }}} for all kernels"
|
||||
check="all" check_existence="all_exist" version="1">
|
||||
- <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env" />
|
||||
+ <ind:object object_ref="object_{{{ base_name }}}" />
|
||||
<ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
- <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
|
||||
+ <ind:textfilecontent54_object id="object_{{{ base_name }}}"
|
||||
version="1">
|
||||
- <ind:filepath>{{{ grub2_boot_path }}}/grubenv</ind:filepath>
|
||||
+ <ind:filepath>{{{ path }}}</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
+{{{ test_and_object_for_kernel_options_grub_env("grub2_" ~ SANITIZED_ARG_NAME ~ "_argument_grub_env", grub2_boot_path ~ "/grubenv") }}}
|
||||
+{{% if system_with_bios_and_uefi_support -%}}
|
||||
+{{{ test_and_object_for_kernel_options_grub_env("grub2_" ~ SANITIZED_ARG_NAME ~ "_argument_grub_env_uefi", grub2_uefi_boot_path ~ "/grubenv") }}}
|
||||
+{{%- endif %}}
|
||||
{{%- endif %}}
|
||||
|
||||
{{%- if system_with_expanded_kernel_options_in_loader_entries %}}
|
||||
@@ -120,21 +148,22 @@
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
<ind:textfilecontent54_state id="state_grub2_rescue_entry_for_{{{ _RULE_ID }}}" version="1">
|
||||
- <ind:filename>rescue.conf</ind:filename>
|
||||
+ <ind:filename operation="pattern match">.*rescue.conf$</ind:filename>
|
||||
</ind:textfilecontent54_state>
|
||||
{{%- endif %}}
|
||||
|
||||
{{%- if system_with_expanded_kernel_options_in_grub_cfg %}}
|
||||
- <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
|
||||
- comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grub.cfg for all kernels"
|
||||
+{{%- macro test_and_object_for_kernel_options_grub_cfg(base_name, path) %}}
|
||||
+ <ind:textfilecontent54_test id="test_{{{ base_name }}}"
|
||||
+ comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ path }}} for all kernels"
|
||||
check="all" check_existence="all_exist" version="1">
|
||||
- <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg" />
|
||||
+ <ind:object object_ref="object_{{{ base_name }}}" />
|
||||
<ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
- <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
|
||||
+ <ind:textfilecontent54_object id="object_{{{ base_name }}}"
|
||||
version="1">
|
||||
- <ind:filepath>{{{ grub2_boot_path }}}/grub.cfg</ind:filepath>
|
||||
+ <ind:filepath>{{{ path }}}</ind:filepath>
|
||||
{{% if product in ["rhel7"] or 'ubuntu' in product %}}
|
||||
<ind:pattern operation="pattern match">^.*/vmlinuz.*(root=.*)$</ind:pattern>
|
||||
{{% else %}}
|
||||
@@ -142,6 +171,12 @@
|
||||
{{% endif %}}
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
+{{{ test_and_object_for_kernel_options_grub_cfg("grub2_" + SANITIZED_ARG_NAME + "_argument_grub_cfg", grub2_boot_path ~ "/grub.cfg") }}}
|
||||
+{{% if system_with_bios_and_uefi_support -%}}
|
||||
+{{{ test_and_object_for_kernel_options_grub_cfg("grub2_" + SANITIZED_ARG_NAME + "_argument_grub_cfg_uefi", grub2_uefi_boot_path ~ "/grub.cfg") }}}
|
||||
+{{%- endif %}}
|
||||
{{%- endif %}}
|
||||
|
||||
<ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
|
||||
|
||||
From df44b5d7017328d05c0671397edcfed019a2a448 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 14:49:34 +0100
|
||||
Subject: [PATCH 5/5] Correct test scenario metadata
|
||||
|
||||
- Grubenv doesn't relate to anything else than RHEL8
|
||||
- The grubby remediation has different behavior in corner-cases
|
||||
that are technically unsupported, so the corresponding test scenario has been dropped.
|
||||
---
|
||||
.../grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh | 1 +
|
||||
.../auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh | 2 +-
|
||||
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh b/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh
|
||||
index 5af2acc317e..956c8ac79fd 100644
|
||||
--- a/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh
|
||||
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh
|
||||
@@ -1,6 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
# platform = Red Hat Enterprise Linux 8
|
||||
+# remediation = none
|
||||
|
||||
# Removes audit argument from kernel command line in /boot/grub2/grubenv
|
||||
file="/boot/grub2/grubenv"
|
||||
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh b/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh
|
||||
index 0ec9a1d6e38..9823b08dff9 100644
|
||||
--- a/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh
|
||||
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
|
||||
grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"
|
@ -1,855 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..b44c91cbf4a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml
|
||||
@@ -0,0 +1,150 @@
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = medium
|
||||
+
|
||||
+- name: Check for existing pam_pwquality.so entry
|
||||
+ ansible.builtin.lineinfile:
|
||||
+ path: "/etc/pam.d/password-auth"
|
||||
+ create: no
|
||||
+ regexp: '^password.*pam_pwquality.so.*'
|
||||
+ state: absent
|
||||
+ check_mode: true
|
||||
+ changed_when: false
|
||||
+ register: result_pam_pwquality_present
|
||||
+
|
||||
+- name: Check if system relies on authselect
|
||||
+ ansible.builtin.stat:
|
||||
+ path: /usr/bin/authselect
|
||||
+ register: result_authselect_present
|
||||
+
|
||||
+- name: "Remediation where authselect tool is present"
|
||||
+ block:
|
||||
+ - name: Check the integrity of the current authselect profile
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect check
|
||||
+ register: result_authselect_check_cmd
|
||||
+ changed_when: false
|
||||
+ ignore_errors: true
|
||||
+
|
||||
+ - name: Informative message based on the authselect integrity check result
|
||||
+ ansible.builtin.assert:
|
||||
+ that:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+ fail_msg:
|
||||
+ - authselect integrity check failed. Remediation aborted!
|
||||
+ - This remediation could not be applied because the authselect profile is not intact.
|
||||
+ - It is not recommended to manually edit the PAM files when authselect is available.
|
||||
+ - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
|
||||
+ success_msg:
|
||||
+ - authselect integrity check passed
|
||||
+
|
||||
+ - name: Get authselect current profile
|
||||
+ ansible.builtin.shell:
|
||||
+ cmd: authselect current -r | awk '{ print $1 }'
|
||||
+ register: result_authselect_profile
|
||||
+ changed_when: false
|
||||
+ when:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+
|
||||
+ - name: Define the current authselect profile as a local fact
|
||||
+ ansible.builtin.set_fact:
|
||||
+ authselect_current_profile: "{{ result_authselect_profile.stdout }}"
|
||||
+ authselect_custom_profile: "{{ result_authselect_profile.stdout }}"
|
||||
+ when:
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - result_authselect_profile.stdout is match("custom/")
|
||||
+
|
||||
+ - name: Define the new authselect custom profile as a local fact
|
||||
+ ansible.builtin.set_fact:
|
||||
+ authselect_current_profile: "{{ result_authselect_profile.stdout }}"
|
||||
+ authselect_custom_profile: "custom/hardening"
|
||||
+ when:
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - result_authselect_profile.stdout is not match("custom/")
|
||||
+
|
||||
+ - name: Get authselect current features to also enable them in the custom profile
|
||||
+ ansible.builtin.shell:
|
||||
+ cmd: authselect current | tail -n+3 | awk '{ print $2 }'
|
||||
+ register: result_authselect_features
|
||||
+ changed_when: false
|
||||
+ when:
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - authselect_current_profile is not match("custom/")
|
||||
+
|
||||
+ - name: Check if any custom profile with the same name was already created in the past
|
||||
+ ansible.builtin.stat:
|
||||
+ path: /etc/authselect/{{ authselect_custom_profile }}
|
||||
+ register: result_authselect_custom_profile_present
|
||||
+ changed_when: false
|
||||
+ when:
|
||||
+ - authselect_current_profile is not match("custom/")
|
||||
+
|
||||
+ - name: Create a custom profile based on the current profile
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect create-profile hardening -b sssd
|
||||
+ when:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+ - authselect_current_profile is not match("custom/")
|
||||
+ - not result_authselect_custom_profile_present.stat.exists
|
||||
+
|
||||
+ - name: Ensure the desired configuration is present in the custom profile
|
||||
+ ansible.builtin.lineinfile:
|
||||
+ dest: "/etc/authselect/{{ authselect_custom_profile }}/password-auth"
|
||||
+ insertbefore: ^password.*sufficient.*pam_unix.so.*
|
||||
+ line: "password requisite pam_pwquality.so"
|
||||
+ when:
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - result_pam_pwquality_present.found == 0
|
||||
+
|
||||
+ - name: Ensure a backup of current authselect profile before selecting the custom profile
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect apply-changes -b --backup=before-pwquality-hardening.backup
|
||||
+ register: result_authselect_backup
|
||||
+ when:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - authselect_current_profile is not match("custom/")
|
||||
+ - authselect_custom_profile is not match(authselect_current_profile)
|
||||
+
|
||||
+ - name: Ensure the custom profile is selected
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect select {{ authselect_custom_profile }} --force
|
||||
+ register: result_pam_authselect_select_profile
|
||||
+ when:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - authselect_current_profile is not match("custom/")
|
||||
+ - authselect_custom_profile is not match(authselect_current_profile)
|
||||
+
|
||||
+ - name: Restore the authselect features in the custom profile
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect enable-feature {{ item }}
|
||||
+ loop: "{{ result_authselect_features.stdout_lines }}"
|
||||
+ when:
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - result_authselect_features is not skipped
|
||||
+ - result_pam_authselect_select_profile is not skipped
|
||||
+
|
||||
+ - name: Ensure the custom profile changes are applied
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect apply-changes -b --backup=after-pwquality-hardening.backup
|
||||
+ when:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ when:
|
||||
+ - result_authselect_present.stat.exists
|
||||
+
|
||||
+# For systems without authselect
|
||||
+- name: "Remediation where authselect tool is not present and PAM files are directly edited"
|
||||
+ block:
|
||||
+ - name: Ensure the desired configuration is present in the custom profile
|
||||
+ ansible.builtin.lineinfile:
|
||||
+ dest: "/etc/pam.d/password-auth"
|
||||
+ insertbefore: ^password.*sufficient.*pam_unix.so.*
|
||||
+ line: "password requisite pam_pwquality.so"
|
||||
+ when:
|
||||
+ - result_pam_pwquality_present.found == 0
|
||||
+ when:
|
||||
+ - not result_authselect_present.stat.exists
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..d2fca2a79ca
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh
|
||||
@@ -0,0 +1,41 @@
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
|
||||
+
|
||||
+PAM_FILE="password-auth"
|
||||
+
|
||||
+if [ -f /usr/bin/authselect ]; then
|
||||
+ if authselect check; then
|
||||
+ CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
|
||||
+ # Standard profiles delivered with authselect should not be modified.
|
||||
+ # If not already in use, a custom profile is created preserving the enabled features.
|
||||
+ if [[ ! $CURRENT_PROFILE == custom/* ]]; then
|
||||
+ ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
|
||||
+ authselect create-profile hardening -b $CURRENT_PROFILE
|
||||
+ CURRENT_PROFILE="custom/hardening"
|
||||
+ # Ensure a backup before changing the profile
|
||||
+ authselect apply-changes -b --backup=before-pwquality-hardening.backup
|
||||
+ authselect select $CURRENT_PROFILE
|
||||
+ for feature in $ENABLED_FEATURES; do
|
||||
+ authselect enable-feature $feature;
|
||||
+ done
|
||||
+ fi
|
||||
+ # Include the desired configuration in the custom profile
|
||||
+ CUSTOM_FILE="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE"
|
||||
+ # The line should be included on the top password section
|
||||
+ if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_FILE) -eq 0 ]; then
|
||||
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $CUSTOM_FILE
|
||||
+ fi
|
||||
+ authselect apply-changes -b --backup=after-pwquality-hardening.backup
|
||||
+ else
|
||||
+ echo "
|
||||
+authselect integrity check failed. Remediation aborted!
|
||||
+This remediation could not be applied because the authselect profile is not intact.
|
||||
+It is not recommended to manually edit the PAM files when authselect is available.
|
||||
+In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
|
||||
+ false
|
||||
+ fi
|
||||
+else
|
||||
+ FILE_PATH="/etc/pam.d/$PAM_FILE"
|
||||
+ if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $FILE_PATH) -eq 0 ]; then
|
||||
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $FILE_PATH
|
||||
+ fi
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..84f32456beb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/oval/shared.xml
|
||||
@@ -0,0 +1,21 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("The PAM module pam_pwquality is used in password-auth") }}}
|
||||
+ <criteria comment="Condition for pam_pwquality in password-auth is satisfied">
|
||||
+ <criterion comment="pam_pwquality password-auth"
|
||||
+ test_ref="test_accounts_password_pam_pwquality_password_auth"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_accounts_password_pam_pwquality_password_auth" version="1">
|
||||
+ <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^password[\s]*requisite[\s]*pam_pwquality\.so</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
|
||||
+ id="test_accounts_password_pam_pwquality_password_auth"
|
||||
+ comment="check the configuration of /etc/pam.d/password-auth">
|
||||
+ <ind:object object_ref="object_accounts_password_pam_pwquality_password_auth"/>
|
||||
+ </ind:textfilecontent54_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..6c7bb1ad7a0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
|
||||
@@ -0,0 +1,35 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,rhel7,rhel8,rhel9,rhv4
|
||||
+
|
||||
+title: 'Ensure PAM password complexity module is enabled in password-auth'
|
||||
+
|
||||
+description: |-
|
||||
+ To enable PAM password complexity in password-auth file:
|
||||
+ Edit the <tt>password</tt> section in
|
||||
+ <tt>/etc/pam.d/password-auth</tt> to show
|
||||
+ <tt>password requisite pam_pwquality.so</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Enabling PAM password complexity permits to enforce strong passwords and consequently
|
||||
+ makes the system less prone to dictionary attacks.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-85876-1
|
||||
+ cce@rhel8: CCE-85877-9
|
||||
+ cce@rhel9: CCE-85878-7
|
||||
+
|
||||
+references:
|
||||
+ stigid@rhel8: RHEL-08-020100
|
||||
+
|
||||
+ocil_clause: 'pam_pwquality.so is not enabled in password-auth'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check if pam_pwhistory.so is enabled in password-auth, run the following command:
|
||||
+ <pre>$ grep pam_pwquality /etc/pam.d/password-auth</pre></pre>
|
||||
+ The output should be similar to the following:
|
||||
+ <pre>password requisite pam_pwquality.so</pre>
|
||||
+
|
||||
+platform: pam
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..3d696c36b76
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+#!/bin/bash
|
||||
+# packages = authselect
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
||||
+
|
||||
+authselect create-profile hardening -b sssd
|
||||
+CUSTOM_PROFILE="custom/hardening"
|
||||
+authselect select $CUSTOM_PROFILE --force
|
||||
+
|
||||
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
|
||||
+sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $CUSTOM_SYSTEM_AUTH
|
||||
+authselect apply-changes -b
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..0435899262b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+# packages = authselect
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
||||
+
|
||||
+authselect create-profile hardening -b sssd
|
||||
+CUSTOM_PROFILE="custom/hardening"
|
||||
+authselect select $CUSTOM_PROFILE --force
|
||||
+
|
||||
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
|
||||
+if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_SYSTEM_AUTH) -eq 0 ]; then
|
||||
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $CUSTOM_SYSTEM_AUTH
|
||||
+fi
|
||||
+authselect apply-changes -b
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..472616a51f6
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+#!/bin/bash
|
||||
+# packages = authselect
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
||||
+
|
||||
+authselect create-profile hardening -b sssd
|
||||
+CUSTOM_PROFILE="custom/hardening"
|
||||
+authselect select $CUSTOM_PROFILE --force
|
||||
+
|
||||
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
|
||||
+sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $CUSTOM_SYSTEM_AUTH
|
||||
+authselect apply-changes -b
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..59f9d6f77c4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/bin/bash
|
||||
+# packages = authselect
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
||||
+# remediation = none
|
||||
+
|
||||
+SYSTEM_AUTH_FILE="/etc/pam.d/password-auth"
|
||||
+
|
||||
+# This modification will break the integrity checks done by authselect.
|
||||
+sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $SYSTEM_AUTH_FILE
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..71f87b19045
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# packages = pam
|
||||
+# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
|
||||
+
|
||||
+config_file=/etc/pam.d/password-auth
|
||||
+if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $config_file) -eq 0 ]; then
|
||||
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $config_file
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..95b73b24d26
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
|
||||
+# packages = pam
|
||||
+
|
||||
+config_file=/etc/pam.d/password-auth
|
||||
+
|
||||
+sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $config_file
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..13cd20458ed
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml
|
||||
@@ -0,0 +1,150 @@
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = medium
|
||||
+
|
||||
+- name: Check for existing pam_pwquality.so entry
|
||||
+ ansible.builtin.lineinfile:
|
||||
+ path: "/etc/pam.d/system-auth"
|
||||
+ create: no
|
||||
+ regexp: '^password.*pam_pwquality.so.*'
|
||||
+ state: absent
|
||||
+ check_mode: true
|
||||
+ changed_when: false
|
||||
+ register: result_pam_pwquality_present
|
||||
+
|
||||
+- name: Check if system relies on authselect
|
||||
+ ansible.builtin.stat:
|
||||
+ path: /usr/bin/authselect
|
||||
+ register: result_authselect_present
|
||||
+
|
||||
+- name: "Remediation where authselect tool is present"
|
||||
+ block:
|
||||
+ - name: Check the integrity of the current authselect profile
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect check
|
||||
+ register: result_authselect_check_cmd
|
||||
+ changed_when: false
|
||||
+ ignore_errors: true
|
||||
+
|
||||
+ - name: Informative message based on the authselect integrity check result
|
||||
+ ansible.builtin.assert:
|
||||
+ that:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+ fail_msg:
|
||||
+ - authselect integrity check failed. Remediation aborted!
|
||||
+ - This remediation could not be applied because the authselect profile is not intact.
|
||||
+ - It is not recommended to manually edit the PAM files when authselect is available.
|
||||
+ - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
|
||||
+ success_msg:
|
||||
+ - authselect integrity check passed
|
||||
+
|
||||
+ - name: Get authselect current profile
|
||||
+ ansible.builtin.shell:
|
||||
+ cmd: authselect current -r | awk '{ print $1 }'
|
||||
+ register: result_authselect_profile
|
||||
+ changed_when: false
|
||||
+ when:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+
|
||||
+ - name: Define the current authselect profile as a local fact
|
||||
+ ansible.builtin.set_fact:
|
||||
+ authselect_current_profile: "{{ result_authselect_profile.stdout }}"
|
||||
+ authselect_custom_profile: "{{ result_authselect_profile.stdout }}"
|
||||
+ when:
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - result_authselect_profile.stdout is match("custom/")
|
||||
+
|
||||
+ - name: Define the new authselect custom profile as a local fact
|
||||
+ ansible.builtin.set_fact:
|
||||
+ authselect_current_profile: "{{ result_authselect_profile.stdout }}"
|
||||
+ authselect_custom_profile: "custom/hardening"
|
||||
+ when:
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - result_authselect_profile.stdout is not match("custom/")
|
||||
+
|
||||
+ - name: Get authselect current features to also enable them in the custom profile
|
||||
+ ansible.builtin.shell:
|
||||
+ cmd: authselect current | tail -n+3 | awk '{ print $2 }'
|
||||
+ register: result_authselect_features
|
||||
+ changed_when: false
|
||||
+ when:
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - authselect_current_profile is not match("custom/")
|
||||
+
|
||||
+ - name: Check if any custom profile with the same name was already created in the past
|
||||
+ ansible.builtin.stat:
|
||||
+ path: /etc/authselect/{{ authselect_custom_profile }}
|
||||
+ register: result_authselect_custom_profile_present
|
||||
+ changed_when: false
|
||||
+ when:
|
||||
+ - authselect_current_profile is not match("custom/")
|
||||
+
|
||||
+ - name: Create a custom profile based on the current profile
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect create-profile hardening -b sssd
|
||||
+ when:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+ - authselect_current_profile is not match("custom/")
|
||||
+ - not result_authselect_custom_profile_present.stat.exists
|
||||
+
|
||||
+ - name: Ensure the desired configuration is present in the custom profile
|
||||
+ ansible.builtin.lineinfile:
|
||||
+ dest: "/etc/authselect/{{ authselect_custom_profile }}/system-auth"
|
||||
+ insertbefore: ^password.*sufficient.*pam_unix.so.*
|
||||
+ line: "password requisite pam_pwquality.so"
|
||||
+ when:
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - result_pam_pwquality_present.found == 0
|
||||
+
|
||||
+ - name: Ensure a backup of current authselect profile before selecting the custom profile
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect apply-changes -b --backup=before-pwquality-hardening.backup
|
||||
+ register: result_authselect_backup
|
||||
+ when:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - authselect_current_profile is not match("custom/")
|
||||
+ - authselect_custom_profile is not match(authselect_current_profile)
|
||||
+
|
||||
+ - name: Ensure the custom profile is selected
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect select {{ authselect_custom_profile }} --force
|
||||
+ register: result_pam_authselect_select_profile
|
||||
+ when:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - authselect_current_profile is not match("custom/")
|
||||
+ - authselect_custom_profile is not match(authselect_current_profile)
|
||||
+
|
||||
+ - name: Restore the authselect features in the custom profile
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect enable-feature {{ item }}
|
||||
+ loop: "{{ result_authselect_features.stdout_lines }}"
|
||||
+ when:
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ - result_authselect_features is not skipped
|
||||
+ - result_pam_authselect_select_profile is not skipped
|
||||
+
|
||||
+ - name: Ensure the custom profile changes are applied
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: authselect apply-changes -b --backup=after-pwquality-hardening.backup
|
||||
+ when:
|
||||
+ - result_authselect_check_cmd is success
|
||||
+ - result_authselect_profile is not skipped
|
||||
+ when:
|
||||
+ - result_authselect_present.stat.exists
|
||||
+
|
||||
+# For systems without authselect
|
||||
+- name: "Remediation where authselect tool is not present and PAM files are directly edited"
|
||||
+ block:
|
||||
+ - name: Ensure the desired configuration is present in the custom profile
|
||||
+ ansible.builtin.lineinfile:
|
||||
+ dest: "/etc/pam.d/system-auth"
|
||||
+ insertbefore: ^password.*sufficient.*pam_unix.so.*
|
||||
+ line: "password requisite pam_pwquality.so"
|
||||
+ when:
|
||||
+ - result_pam_pwquality_present.found == 0
|
||||
+ when:
|
||||
+ - not result_authselect_present.stat.exists
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..9a7972a3f93
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh
|
||||
@@ -0,0 +1,41 @@
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
|
||||
+
|
||||
+PAM_FILE="system-auth"
|
||||
+
|
||||
+if [ -f /usr/bin/authselect ]; then
|
||||
+ if authselect check; then
|
||||
+ CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
|
||||
+ # Standard profiles delivered with authselect should not be modified.
|
||||
+ # If not already in use, a custom profile is created preserving the enabled features.
|
||||
+ if [[ ! $CURRENT_PROFILE == custom/* ]]; then
|
||||
+ ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
|
||||
+ authselect create-profile hardening -b $CURRENT_PROFILE
|
||||
+ CURRENT_PROFILE="custom/hardening"
|
||||
+ # Ensure a backup before changing the profile
|
||||
+ authselect apply-changes -b --backup=before-pwquality-hardening.backup
|
||||
+ authselect select $CURRENT_PROFILE
|
||||
+ for feature in $ENABLED_FEATURES; do
|
||||
+ authselect enable-feature $feature;
|
||||
+ done
|
||||
+ fi
|
||||
+ # Include the desired configuration in the custom profile
|
||||
+ CUSTOM_FILE="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE"
|
||||
+ # The line should be included on the top password section
|
||||
+ if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_FILE) -eq 0 ]; then
|
||||
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $CUSTOM_FILE
|
||||
+ fi
|
||||
+ authselect apply-changes -b --backup=after-pwquality-hardening.backup
|
||||
+ else
|
||||
+ echo "
|
||||
+authselect integrity check failed. Remediation aborted!
|
||||
+This remediation could not be applied because the authselect profile is not intact.
|
||||
+It is not recommended to manually edit the PAM files when authselect is available.
|
||||
+In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
|
||||
+ false
|
||||
+ fi
|
||||
+else
|
||||
+ FILE_PATH="/etc/pam.d/$PAM_FILE"
|
||||
+ if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $FILE_PATH) -eq 0 ]; then
|
||||
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $FILE_PATH
|
||||
+ fi
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..f8d241f1ff2
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/oval/shared.xml
|
||||
@@ -0,0 +1,21 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("The PAM module pam_pwquality is used in system-auth") }}}
|
||||
+ <criteria comment="Condition for pam_pwquality in system-auth is satisfied">
|
||||
+ <criterion comment="pam_pwquality system-auth"
|
||||
+ test_ref="test_accounts_password_pam_pwquality_system_auth"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_accounts_password_pam_pwquality_system_auth" version="1">
|
||||
+ <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^password[\s]*requisite[\s]*pam_pwquality\.so</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
|
||||
+ id="test_accounts_password_pam_pwquality_system_auth"
|
||||
+ comment="check the configuration of /etc/pam.d/system-auth">
|
||||
+ <ind:object object_ref="object_accounts_password_pam_pwquality_system_auth"/>
|
||||
+ </ind:textfilecontent54_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..ea42ff9b07a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
|
||||
@@ -0,0 +1,35 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,rhel7,rhel8,rhel9,rhv4
|
||||
+
|
||||
+title: 'Ensure PAM password complexity module is enabled in system-auth'
|
||||
+
|
||||
+description: |-
|
||||
+ To enable PAM password complexity in system-auth file:
|
||||
+ Edit the <tt>password</tt> section in
|
||||
+ <tt>/etc/pam.d/system-auth</tt> to show
|
||||
+ <tt>password requisite pam_pwquality.so</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Enabling PAM password complexity permits to enforce strong passwords and consequently
|
||||
+ makes the system less prone to dictionary attacks.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-85874-6
|
||||
+ cce@rhel8: CCE-85872-0
|
||||
+ cce@rhel9: CCE-85873-8
|
||||
+
|
||||
+references:
|
||||
+ stigid@rhel8: RHEL-08-020101
|
||||
+
|
||||
+ocil_clause: 'pam_pwquality.so is not enabled in system-auth'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check if pam_pwhistory.so is enabled in system-auth, run the following command:
|
||||
+ <pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre></pre>
|
||||
+ The output should be similar to the following:
|
||||
+ <pre>password requisite pam_pwquality.so</pre>
|
||||
+
|
||||
+platform: pam
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..849f16d0f93
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+#!/bin/bash
|
||||
+# packages = authselect
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
||||
+
|
||||
+authselect create-profile hardening -b sssd
|
||||
+CUSTOM_PROFILE="custom/hardening"
|
||||
+authselect select $CUSTOM_PROFILE --force
|
||||
+
|
||||
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
|
||||
+sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $CUSTOM_SYSTEM_AUTH
|
||||
+authselect apply-changes -b
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..6a98c244980
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+# packages = authselect
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
||||
+
|
||||
+authselect create-profile hardening -b sssd
|
||||
+CUSTOM_PROFILE="custom/hardening"
|
||||
+authselect select $CUSTOM_PROFILE --force
|
||||
+
|
||||
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
|
||||
+if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_SYSTEM_AUTH) -eq 0 ]; then
|
||||
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $CUSTOM_SYSTEM_AUTH
|
||||
+fi
|
||||
+authselect apply-changes -b
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..6786f6c13d7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+#!/bin/bash
|
||||
+# packages = authselect
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
||||
+
|
||||
+authselect create-profile hardening -b sssd
|
||||
+CUSTOM_PROFILE="custom/hardening"
|
||||
+authselect select $CUSTOM_PROFILE --force
|
||||
+
|
||||
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
|
||||
+sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $CUSTOM_SYSTEM_AUTH
|
||||
+authselect apply-changes -b
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..b3d9e5884f5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/bin/bash
|
||||
+# packages = authselect
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
||||
+# remediation = none
|
||||
+
|
||||
+SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
|
||||
+
|
||||
+# This modification will break the integrity checks done by authselect.
|
||||
+sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $SYSTEM_AUTH_FILE
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..71f87b19045
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# packages = pam
|
||||
+# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
|
||||
+
|
||||
+config_file=/etc/pam.d/password-auth
|
||||
+if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $config_file) -eq 0 ]; then
|
||||
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $config_file
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..3c8f6f79fe9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
|
||||
+# packages = pam
|
||||
+
|
||||
+config_file=/etc/pam.d/system-auth
|
||||
+
|
||||
+sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $config_file
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
||||
index eeb55a6ff5c..6b2219a3eab 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
||||
@@ -6,13 +6,16 @@ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts
|
||||
|
||||
description: |-
|
||||
To configure the number of retry prompts that are permitted per-session:
|
||||
+ {{% if product in ['rhel8', 'rhel9'] %}}
|
||||
+ Edit the <tt>/etc/security/pwquality.conf</tt> to include
|
||||
+ {{% else %}}
|
||||
Edit the <tt>pam_pwquality.so</tt> statement in
|
||||
{{% if 'ubuntu' not in product %}}
|
||||
- <tt>/etc/pam.d/system-auth</tt> {{% if product in ['rhel8', 'rhel9'] %}} and
|
||||
- <tt>/etc/pam.d/password-auth</tt> {{% endif %}} to show
|
||||
+ <tt>/etc/pam.d/system-auth</tt> to show
|
||||
{{% else %}}
|
||||
<tt>/etc/pam.d/common-password</tt> to show
|
||||
{{% endif %}}
|
||||
+ {{% endif %}}
|
||||
<tt>retry={{{xccdf_value("var_password_pam_retry") }}}</tt>, or a lower value if site
|
||||
policy is more restrictive. The DoD requirement is a maximum of 3 prompts
|
||||
per session.
|
||||
@@ -48,17 +51,21 @@ references:
|
||||
stigid@ol7: OL07-00-010119
|
||||
stigid@ol8: OL08-00-020100
|
||||
stigid@rhel7: RHEL-07-010119
|
||||
- stigid@rhel8: RHEL-08-020100
|
||||
+ stigid@rhel8: RHEL-08-020104
|
||||
stigid@ubuntu2004: UBTU-20-010057
|
||||
|
||||
ocil_clause: 'it is not the required value'
|
||||
|
||||
ocil: |-
|
||||
To check how many retry attempts are permitted on a per-session basis, run the following command:
|
||||
+ {{% if product in ['rhel8', 'rhel9'] %}}
|
||||
+ <pre>$ grep retry /etc/security/pwquality.conf</pre>
|
||||
+ {{% else %}}
|
||||
{{% if 'ubuntu' in product %}}
|
||||
<pre>$ grep pam_pwquality /etc/pam.d/common-password</pre>
|
||||
{{% else %}}
|
||||
- <pre>$ grep pam_pwquality /etc/pam.d/system-auth {{% if product in ['rhel8', 'rhel9'] %}}/etc/pam.d/password-auth{{% endif %}}</pre>
|
||||
+ <pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
|
||||
+ {{% endif %}}
|
||||
{{% endif %}}
|
||||
The <tt>retry</tt> parameter will indicate how many attempts are permitted.
|
||||
The DoD required value is less than or equal to 3.
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index d92bc72971c..62fc512f05e 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -523,6 +523,20 @@ selections:
|
||||
- sssd_enable_certmap
|
||||
|
||||
# RHEL-08-020100
|
||||
+ - accounts_password_pam_pwquality_password_auth
|
||||
+
|
||||
+ # RHEL-08-020101
|
||||
+ - accounts_password_pam_pwquality_system_auth
|
||||
+
|
||||
+ # RHEL-08-020102
|
||||
+ # This is only required for RHEL8 systems below version 8.4 where the
|
||||
+ # retry parameter was not yet available on /etc/security/pwquality.conf.
|
||||
+
|
||||
+ # RHEL-08-020103
|
||||
+ # This is only required for RHEL8 systems below version 8.4 where the
|
||||
+ # retry parameter was not yet available on /etc/security/pwquality.conf.
|
||||
+
|
||||
+ # RHEL-08-020104
|
||||
- accounts_password_pam_retry
|
||||
|
||||
# RHEL-08-020110
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index 42c6d0e9aca..ad08a6d3410 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -524,6 +524,20 @@ selections:
|
||||
- sssd_enable_certmap
|
||||
|
||||
# RHEL-08-020100
|
||||
+ - accounts_password_pam_pwquality_password_auth
|
||||
+
|
||||
+ # RHEL-08-020101
|
||||
+ - accounts_password_pam_pwquality_system_auth
|
||||
+
|
||||
+ # RHEL-08-020102
|
||||
+ # This is only required for RHEL8 systems below version 8.4 where the
|
||||
+ # retry parameter was not yet available on /etc/security/pwquality.conf.
|
||||
+
|
||||
+ # RHEL-08-020103
|
||||
+ # This is only required for RHEL8 systems below version 8.4 where the
|
||||
+ # retry parameter was not yet available on /etc/security/pwquality.conf.
|
||||
+
|
||||
+ # RHEL-08-020104
|
||||
- accounts_password_pam_retry
|
||||
|
||||
# RHEL-08-020110
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index e4fee44f9f9..33e82401c3d 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -53,6 +53,8 @@ selections:
|
||||
- accounts_password_pam_ocredit
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
+- accounts_password_pam_pwquality_password_auth
|
||||
+- accounts_password_pam_pwquality_system_auth
|
||||
- accounts_password_pam_retry
|
||||
- accounts_password_pam_ucredit
|
||||
- accounts_password_pam_unix_rounds_password_auth
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 83d04775e3a..5beeb4f28af 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -64,6 +64,8 @@ selections:
|
||||
- accounts_password_pam_ocredit
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
+- accounts_password_pam_pwquality_password_auth
|
||||
+- accounts_password_pam_pwquality_system_auth
|
||||
- accounts_password_pam_retry
|
||||
- accounts_password_pam_ucredit
|
||||
- accounts_password_pam_unix_rounds_password_auth
|
@ -1,126 +0,0 @@
|
||||
From 622558873703704bd97fde1874a9a782d4cb8b0e Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 17:51:50 +0100
|
||||
Subject: [PATCH] Introduce CPE for aarch64 and make package_rear_installed n/a
|
||||
aarch64.
|
||||
|
||||
This rule is not applicable for RHEL9 only.
|
||||
---
|
||||
.../package_rear_installed/rule.yml | 4 +++
|
||||
shared/applicability/arch.yml | 12 +++++++
|
||||
...proc_sys_kernel_osrelease_arch_aarch64.xml | 33 +++++++++++++++++++
|
||||
..._sys_kernel_osrelease_arch_not_aarch64.xml | 16 +++++++++
|
||||
ssg/constants.py | 2 ++
|
||||
5 files changed, 67 insertions(+)
|
||||
create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
|
||||
create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml
|
||||
|
||||
diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
|
||||
index 6e3c11e5749..efb591654a9 100644
|
||||
--- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
|
||||
@@ -25,6 +25,10 @@ ocil: '{{{ ocil_package(package="rear") }}}'
|
||||
# The package is not available for s309x on RHEL<8.5
|
||||
# platform: not_s390x_arch
|
||||
|
||||
+{{%- if product == "rhel9" %}}
|
||||
+platform: not_aarch64_arch
|
||||
+{{%- endif %}}
|
||||
+
|
||||
template:
|
||||
name: package_installed
|
||||
vars:
|
||||
diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml
|
||||
index d2cbd102310..9ac05317a95 100644
|
||||
--- a/shared/applicability/arch.yml
|
||||
+++ b/shared/applicability/arch.yml
|
||||
@@ -12,3 +12,15 @@ cpes:
|
||||
check_id: proc_sys_kernel_osrelease_arch_s390x
|
||||
bash_conditional: 'grep -q s390x /proc/sys/kernel/osrelease'
|
||||
|
||||
+ - not_aarch64_arch:
|
||||
+ name: "cpe:/a:not_aarch64_arch"
|
||||
+ title: "System architecture is not AARCH64"
|
||||
+ check_id: proc_sys_kernel_osrelease_arch_not_aarch64
|
||||
+ bash_conditional: "! grep -q aarch64 /proc/sys/kernel/osrelease"
|
||||
+
|
||||
+ - aarch64_arch:
|
||||
+ name: "cpe:/a:aarch64_arch"
|
||||
+ title: "System architecture is AARCH64"
|
||||
+ check_id: proc_sys_kernel_osrelease_arch_aarch64
|
||||
+ bash_conditional: 'grep -q aarch64 /proc/sys/kernel/osrelease'
|
||||
+
|
||||
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
|
||||
new file mode 100644
|
||||
index 00000000000..3d54f81e6d4
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
|
||||
@@ -0,0 +1,33 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory" id="proc_sys_kernel_osrelease_arch_aarch64"
|
||||
+ version="1">
|
||||
+ <metadata>
|
||||
+ <title>Test that the architecture is aarch64</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_all</platform>
|
||||
+ </affected>
|
||||
+ <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64</description>
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion comment="Architecture is aarch64"
|
||||
+ test_ref="test_proc_sys_kernel_osrelease_arch_aarch64" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
+ comment="proc_sys_kernel is for aarch64 architecture"
|
||||
+ id="test_proc_sys_kernel_osrelease_arch_aarch64"
|
||||
+ version="1">
|
||||
+ <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_aarch64" />
|
||||
+ <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_aarch64" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_aarch64" version="1">
|
||||
+ <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_aarch64" version="1">
|
||||
+ <ind:subexpression datatype="string" operation="pattern match">^aarch64$</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+</def-group>
|
||||
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml
|
||||
new file mode 100644
|
||||
index 00000000000..3fce66ee00a
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml
|
||||
@@ -0,0 +1,16 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory" id="proc_sys_kernel_osrelease_arch_not_aarch64"
|
||||
+ version="1">
|
||||
+ <metadata>
|
||||
+ <title>Test for different architecture than aarch64</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_all</platform>
|
||||
+ </affected>
|
||||
+ <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not aarch64</description>
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <extend_definition comment="Architecture is not aarch64"
|
||||
+ definition_ref="proc_sys_kernel_osrelease_arch_aarch64" negate="true"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+</def-group>
|
||||
diff --git a/ssg/constants.py b/ssg/constants.py
|
||||
index 64d7d36c989..92cc2f8de34 100644
|
||||
--- a/ssg/constants.py
|
||||
+++ b/ssg/constants.py
|
||||
@@ -424,6 +424,8 @@
|
||||
"non-uefi": None,
|
||||
"not_s390x_arch": None,
|
||||
"s390x_arch": None,
|
||||
+ "not_aarch64_arch": None,
|
||||
+ "aarch64_arch": None,
|
||||
"ovirt": None,
|
||||
"no_ovirt": None,
|
||||
}
|
@ -1,44 +0,0 @@
|
||||
diff --git a/controls/stig_rhel8.yml b/controls/stig_rhel8.yml
|
||||
index d7821c2e3b8..fe6b0f01186 100644
|
||||
--- a/controls/stig_rhel8.yml
|
||||
+++ b/controls/stig_rhel8.yml
|
||||
@@ -584,11 +584,6 @@ controls:
|
||||
rules:
|
||||
- sshd_disable_root_login
|
||||
status: automated
|
||||
- - id: RHEL-08-010560
|
||||
- levels:
|
||||
- - medium
|
||||
- title: The auditd service must be running in RHEL 8.
|
||||
- status: pending
|
||||
- id: RHEL-08-010561
|
||||
levels:
|
||||
- medium
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 7c89bcbf659..09fa85df181 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -368,9 +368,6 @@ selections:
|
||||
# RHEL-08-010550
|
||||
- sshd_disable_root_login
|
||||
|
||||
- # RHEL-08-010560
|
||||
- - service_auditd_enabled
|
||||
-
|
||||
# RHEL-08-010561
|
||||
- service_rsyslog_enabled
|
||||
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index 690991f697b..eb2cac913bd 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -369,9 +369,6 @@ selections:
|
||||
# RHEL-08-010550
|
||||
- sshd_disable_root_login
|
||||
|
||||
- # RHEL-08-010560
|
||||
- - service_auditd_enabled
|
||||
-
|
||||
# RHEL-08-010561
|
||||
- service_rsyslog_enabled
|
||||
|
@ -1,106 +0,0 @@
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index d92bc72971c..98cabee38dd 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -51,7 +51,7 @@ selections:
|
||||
- var_password_pam_lcredit=1
|
||||
- var_password_pam_retry=3
|
||||
- var_password_pam_minlen=15
|
||||
- - var_sshd_set_keepalive=0
|
||||
+ # - var_sshd_set_keepalive=0
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
@@ -170,11 +170,13 @@ selections:
|
||||
# RHEL-08-010190
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
|
||||
- # RHEL-08-010200
|
||||
- - sshd_set_keepalive_0
|
||||
-
|
||||
- # RHEL-08-010201
|
||||
- - sshd_set_idle_timeout
|
||||
+ # These two items don't behave as they used to in RHEL8.6 and RHEL9
|
||||
+ # anymore. They will be disabled for now until an alternative
|
||||
+ # solution is found.
|
||||
+ # # RHEL-08-010200
|
||||
+ # - sshd_set_keepalive_0
|
||||
+ # # RHEL-08-010201
|
||||
+ # - sshd_set_idle_timeout
|
||||
|
||||
# RHEL-08-010210
|
||||
- file_permissions_var_log_messages
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index 42c6d0e9aca..842f17c7021 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -52,7 +52,7 @@ selections:
|
||||
- var_password_pam_lcredit=1
|
||||
- var_password_pam_retry=3
|
||||
- var_password_pam_minlen=15
|
||||
- - var_sshd_set_keepalive=0
|
||||
+ # - var_sshd_set_keepalive=0
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
@@ -171,11 +171,13 @@ selections:
|
||||
# RHEL-08-010190
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
|
||||
- # RHEL-08-010200
|
||||
- - sshd_set_keepalive_0
|
||||
-
|
||||
- # RHEL-08-010201
|
||||
- - sshd_set_idle_timeout
|
||||
+ # These two items don't behave as they used to in RHEL8.6 and RHEL9
|
||||
+ # anymore. They will be disabled for now until an alternative
|
||||
+ # solution is found.
|
||||
+ # # RHEL-08-010200
|
||||
+ # - sshd_set_keepalive_0
|
||||
+ # # RHEL-08-010201
|
||||
+ # - sshd_set_idle_timeout
|
||||
|
||||
# RHEL-08-010210
|
||||
- file_permissions_var_log_messages
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index e4fee44f9f9..e3c8ebfc9a5 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -353,8 +353,6 @@ selections:
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
-- sshd_set_idle_timeout
|
||||
-- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
||||
@@ -423,7 +421,6 @@ selections:
|
||||
- var_password_pam_ucredit=1
|
||||
- var_password_pam_lcredit=1
|
||||
- var_password_pam_retry=3
|
||||
-- var_sshd_set_keepalive=0
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 83d04775e3a..8ef48e0654b 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -364,8 +364,6 @@ selections:
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
-- sshd_set_idle_timeout
|
||||
-- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
||||
@@ -432,7 +430,6 @@ selections:
|
||||
- var_password_pam_ucredit=1
|
||||
- var_password_pam_lcredit=1
|
||||
- var_password_pam_retry=3
|
||||
-- var_sshd_set_keepalive=0
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
@ -1,146 +0,0 @@
|
||||
From 0ffb73fe67cb5773037f62895e6fdc93195f7c38 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 21 Feb 2022 12:55:10 +0100
|
||||
Subject: [PATCH] Remove tmux process runinng check from
|
||||
configure_bashrc_exec_tmux.
|
||||
|
||||
This check can cause troubles since the user must be logged to show up
|
||||
as tmux running. For example, an evaluation happening through a cron job
|
||||
wouldn't be able to make this rule work, since no terminal is being
|
||||
used.
|
||||
---
|
||||
.../configure_bashrc_exec_tmux/oval/shared.xml | 10 ----------
|
||||
.../configure_bashrc_exec_tmux/rule.yml | 14 +-------------
|
||||
.../tests/correct_value.pass.sh | 1 -
|
||||
.../tests/correct_value_d_directory.pass.sh | 1 -
|
||||
.../tests/duplicate_value_multiple_files.pass.sh | 1 -
|
||||
.../tests/tmux_not_running.fail.sh | 13 -------------
|
||||
.../tests/wrong_value.fail.sh | 2 --
|
||||
7 files changed, 1 insertion(+), 41 deletions(-)
|
||||
delete mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
index 4cb2f9e0e04..58f91eadf66 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
@@ -4,7 +4,6 @@
|
||||
<criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
|
||||
<criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
|
||||
test_ref="test_configure_bashrc_exec_tmux" />
|
||||
- <criterion comment="check tmux is running" test_ref="test_tmux_running"/>
|
||||
</criteria>
|
||||
</definition>
|
||||
<ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
@@ -18,13 +17,4 @@
|
||||
<ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
-
|
||||
- <unix:process58_test check="all" id="test_tmux_running" comment="is tmux running" version="1">
|
||||
- <unix:object object_ref="obj_tmux_running"/>
|
||||
- </unix:process58_test>
|
||||
-
|
||||
- <unix:process58_object id="obj_tmux_running" version="1">
|
||||
- <unix:command_line operation="pattern match">^tmux(?:|[\s]+.*)$</unix:command_line>
|
||||
- <unix:pid datatype="int" operation="greater than">0</unix:pid>
|
||||
- </unix:process58_object>
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
index 7afc5fc5e6b..9f224748894 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
@@ -8,19 +8,11 @@ description: |-
|
||||
The <tt>tmux</tt> terminal multiplexer is used to implement
|
||||
automatic session locking. It should be started from
|
||||
<tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.
|
||||
- Additionally it must be ensured that the <tt>tmux</tt> process is running
|
||||
- and it can be verified with the following command:
|
||||
- <pre>ps all | grep tmux | grep -v grep</pre>
|
||||
|
||||
rationale: |-
|
||||
Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer
|
||||
provides a mechanism to lock sessions after period of inactivity.
|
||||
|
||||
-warnings:
|
||||
- - general: |-
|
||||
- The remediation does not start the tmux process, so it must be
|
||||
- manually started or have the system rebooted after applying the fix.
|
||||
-
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
@@ -34,7 +26,7 @@ references:
|
||||
stigid@ol8: OL08-00-020041
|
||||
stigid@rhel8: RHEL-08-020041
|
||||
|
||||
-ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running'
|
||||
+ocil_clause: 'exec tmux is not present at the end of bashrc'
|
||||
|
||||
ocil: |-
|
||||
To verify that tmux is configured to execute,
|
||||
@@ -46,9 +38,5 @@ ocil: |-
|
||||
name=$(ps -o comm= -p $parent)
|
||||
case "$name" in sshd|login) exec tmux ;; esac
|
||||
fi</pre>
|
||||
- To verify that the tmux process is running,
|
||||
- run the following command:
|
||||
- <pre>ps all | grep tmux | grep -v grep</pre>
|
||||
- If the command does not produce output, this is a finding.
|
||||
|
||||
platform: machine
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
|
||||
index 221c18665ef..fbc7590f27d 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
|
||||
@@ -9,4 +9,3 @@ if [ "$PS1" ]; then
|
||||
fi
|
||||
EOF
|
||||
|
||||
-tmux new-session -s root -d
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
|
||||
index 1702bb17e79..6107f86f248 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
|
||||
@@ -10,4 +10,3 @@ if [ "$PS1" ]; then
|
||||
fi
|
||||
EOF
|
||||
|
||||
-tmux new-session -s root -d
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
|
||||
index 16d4acfcb5a..c662221eca1 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
|
||||
@@ -17,4 +17,3 @@ if [ "$PS1" ]; then
|
||||
fi
|
||||
EOF
|
||||
|
||||
-tmux new-session -s root -d
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
|
||||
deleted file mode 100644
|
||||
index 6cb9d83efc5..00000000000
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,13 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# packages = tmux
|
||||
-# remediation = none
|
||||
-
|
||||
-cat >> /etc/bashrc <<'EOF'
|
||||
-if [ "$PS1" ]; then
|
||||
- parent=$(ps -o ppid= -p $$)
|
||||
- name=$(ps -o comm= -p $parent)
|
||||
- case "$name" in sshd|login) exec tmux ;; esac
|
||||
-fi
|
||||
-EOF
|
||||
-
|
||||
-killall tmux || true
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
|
||||
index f13a8b038e4..9b461654572 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
|
||||
@@ -101,5 +101,3 @@ if [ -z "$BASHRCSOURCED" ]; then
|
||||
fi
|
||||
# vim:ts=4:sw=4
|
||||
EOF
|
||||
-
|
||||
-tmux new-session -s root -d
|
@ -1,79 +0,0 @@
|
||||
From ea49c71011c1815b2889c5a004c79c99faff4a1c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 23 Feb 2022 18:23:22 +0100
|
||||
Subject: [PATCH] Adjsut partitions sizes to acomodate a GUI install
|
||||
|
||||
The GUI requires more room in the /usr partition.
|
||||
Let's reduce /otp, /srv and /home, which should not have any data.
|
||||
---
|
||||
.../rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 8 ++++----
|
||||
products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 8 ++++----
|
||||
.../kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 8 ++++----
|
||||
3 files changed, 12 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
index 9c02e5c2ac1..cc18e8cd16f 100644
|
||||
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
@@ -100,13 +100,13 @@ volgroup VolGroup --pesize=4096 pv.01
|
||||
# Create particular logical volumes (optional)
|
||||
logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=6536 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
|
||||
# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
|
||||
# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
index 68729408698..3e99b4d0f99 100644
|
||||
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
@@ -104,13 +104,13 @@ volgroup VolGroup --pesize=4096 pv.01
|
||||
# Create particular logical volumes (optional)
|
||||
logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=6536 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
|
||||
# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
|
||||
# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
index 1f703d127e5..31d10a7e97e 100644
|
||||
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
@@ -100,13 +100,13 @@ volgroup VolGroup --pesize=4096 pv.01
|
||||
# Create particular logical volumes (optional)
|
||||
logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=6536 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
|
||||
# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
|
||||
# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/tmp Located On Separate Partition
|
@ -1,285 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||||
index 09dc1566bbf..26c7eea79d1 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||||
@@ -6,10 +6,10 @@ title: 'Configure auditing of unsuccessful file accesses'
|
||||
|
||||
{{% set file_contents_audit_access_failed =
|
||||
"## Unsuccessful file access (any other opens) This has to go last.
|
||||
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" %}}
|
||||
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" %}}
|
||||
|
||||
description: |-
|
||||
Ensure that unsuccessful attempts to access a file are audited.
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||||
index 5ce9fe6799c..262cf290ec0 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||||
@@ -7,8 +7,8 @@ title: 'Configure auditing of successful file accesses'
|
||||
{{% set file_contents_audit_access_success =
|
||||
"## Successful file access (any other opens) This has to go last.
|
||||
## These next two are likely to result in a whole lot of events
|
||||
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access" %}}
|
||||
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access" %}}
|
||||
|
||||
description: |-
|
||||
Ensure that successful attempts to access a file are audited.
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||||
index e37291c68a1..bdc59faa5f7 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||||
@@ -4,7 +4,7 @@ prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Perform general configuration of Audit for OSPP'
|
||||
|
||||
-{{% if product == "rhel9" %}}
|
||||
+
|
||||
{{% set file_contents_audit_ospp_general =
|
||||
"## The purpose of these rules is to meet the requirements for Operating
|
||||
## System Protection Profile (OSPP)v4.2. These rules depends on having
|
||||
@@ -90,89 +90,7 @@ title: 'Perform general configuration of Audit for OSPP'
|
||||
## state results from that policy. This would be handled entirely by
|
||||
## that daemon.
|
||||
" %}}
|
||||
-{{% else %}}
|
||||
-{{% set file_contents_audit_ospp_general =
|
||||
-"## The purpose of these rules is to meet the requirements for Operating
|
||||
-## System Protection Profile (OSPP)v4.2. These rules depends on having
|
||||
-## the following rule files copied to /etc/audit/rules.d:
|
||||
-##
|
||||
-## 10-base-config.rules, 11-loginuid.rules,
|
||||
-## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
|
||||
-## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
|
||||
-## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
|
||||
-## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
|
||||
-## 30-ospp-v42-5-perm-change-failed.rules,
|
||||
-## 30-ospp-v42-5-perm-change-success.rules,
|
||||
-## 30-ospp-v42-6-owner-change-failed.rules,
|
||||
-## 30-ospp-v42-6-owner-change-success.rules
|
||||
-##
|
||||
-## original copies may be found in /usr/share/audit/sample-rules/
|
||||
-
|
||||
-
|
||||
-## User add delete modify. This is covered by pam. However, someone could
|
||||
-## open a file and directly create or modify a user, so we'll watch passwd and
|
||||
-## shadow for writes
|
||||
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
-
|
||||
-## User enable and disable. This is entirely handled by pam.
|
||||
-
|
||||
-## Group add delete modify. This is covered by pam. However, someone could
|
||||
-## open a file and directly create or modify a user, so we'll watch group and
|
||||
-## gshadow for writes
|
||||
--a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
||||
--a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
||||
-
|
||||
|
||||
-## Use of special rights for config changes. This would be use of setuid
|
||||
-## programs that relate to user accts. This is not all setuid apps because
|
||||
-## requirements are only for ones that affect system configuration.
|
||||
--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-
|
||||
-## Privilege escalation via su or sudo. This is entirely handled by pam.
|
||||
-
|
||||
-## Audit log access
|
||||
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
||||
-## Attempts to Alter Process and Session Initiation Information
|
||||
--a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||||
--a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||||
--a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||||
-
|
||||
-## Attempts to modify MAC controls
|
||||
--a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
|
||||
-
|
||||
-## Software updates. This is entirely handled by rpm.
|
||||
-
|
||||
-## System start and shutdown. This is entirely handled by systemd
|
||||
-
|
||||
-## Kernel Module loading. This is handled in 43-module-load.rules
|
||||
-
|
||||
-## Application invocation. The requirements list an optional requirement
|
||||
-## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
|
||||
-## state results from that policy. This would be handled entirely by
|
||||
-## that daemon.
|
||||
-" %}}
|
||||
-{{% endif %}}
|
||||
|
||||
description: |-
|
||||
Configure some basic <tt>Audit</tt> parameters specific for OSPP profile.
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
|
||||
index ffe2344db56..c59e7e5e1f2 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
|
||||
@@ -1,3 +1,3 @@
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
|
||||
|
||||
cp $SHARED/audit/30-ospp-v42.rules /etc/audit/rules.d/
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules_rhel9.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules_rhel9.pass.sh
|
||||
deleted file mode 100644
|
||||
index 96ef5ae0a23..00000000000
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules_rhel9.pass.sh
|
||||
+++ /dev/null
|
||||
@@ -1,3 +0,0 @@
|
||||
-# platform = Red Hat Enterprise Linux 9
|
||||
-
|
||||
-cp $SHARED/audit/30-ospp-v42_rhel9.rules /etc/audit/rules.d/30-ospp-v42.rules
|
||||
diff --git a/tests/shared/audit/30-ospp-v42-3-access-failed.rules b/tests/shared/audit/30-ospp-v42-3-access-failed.rules
|
||||
index a5aad3a95ce..39ac7a883ca 100644
|
||||
--- a/tests/shared/audit/30-ospp-v42-3-access-failed.rules
|
||||
+++ b/tests/shared/audit/30-ospp-v42-3-access-failed.rules
|
||||
@@ -1,5 +1,5 @@
|
||||
## Unsuccessful file access (any other opens) This has to go last.
|
||||
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
diff --git a/tests/shared/audit/30-ospp-v42-3-access-success.rules b/tests/shared/audit/30-ospp-v42-3-access-success.rules
|
||||
index 0c8a6b65760..79004ce0c21 100644
|
||||
--- a/tests/shared/audit/30-ospp-v42-3-access-success.rules
|
||||
+++ b/tests/shared/audit/30-ospp-v42-3-access-success.rules
|
||||
@@ -1,4 +1,4 @@
|
||||
## Successful file access (any other opens) This has to go last.
|
||||
## These next two are likely to result in a whole lot of events
|
||||
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
diff --git a/tests/shared/audit/30-ospp-v42.rules b/tests/shared/audit/30-ospp-v42.rules
|
||||
index 3dced17255c..2d3c48265b6 100644
|
||||
--- a/tests/shared/audit/30-ospp-v42.rules
|
||||
+++ b/tests/shared/audit/30-ospp-v42.rules
|
||||
@@ -57,6 +57,10 @@
|
||||
|
||||
## Privilege escalation via su or sudo. This is entirely handled by pam.
|
||||
|
||||
+## Watch for configuration changes to privilege escalation.
|
||||
+-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
|
||||
+-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
|
||||
+
|
||||
## Audit log access
|
||||
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
||||
## Attempts to Alter Process and Session Initiation Information
|
||||
diff --git a/tests/shared/audit/30-ospp-v42_rhel9.rules b/tests/shared/audit/30-ospp-v42_rhel9.rules
|
||||
deleted file mode 100644
|
||||
index 2d3c48265b6..00000000000
|
||||
--- a/tests/shared/audit/30-ospp-v42_rhel9.rules
|
||||
+++ /dev/null
|
||||
@@ -1,84 +0,0 @@
|
||||
-## The purpose of these rules is to meet the requirements for Operating
|
||||
-## System Protection Profile (OSPP)v4.2. These rules depends on having
|
||||
-## the following rule files copied to /etc/audit/rules.d:
|
||||
-##
|
||||
-## 10-base-config.rules, 11-loginuid.rules,
|
||||
-## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
|
||||
-## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
|
||||
-## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
|
||||
-## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
|
||||
-## 30-ospp-v42-5-perm-change-failed.rules,
|
||||
-## 30-ospp-v42-5-perm-change-success.rules,
|
||||
-## 30-ospp-v42-6-owner-change-failed.rules,
|
||||
-## 30-ospp-v42-6-owner-change-success.rules
|
||||
-##
|
||||
-## original copies may be found in /usr/share/audit/sample-rules/
|
||||
-
|
||||
-
|
||||
-## User add delete modify. This is covered by pam. However, someone could
|
||||
-## open a file and directly create or modify a user, so we'll watch passwd and
|
||||
-## shadow for writes
|
||||
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
-
|
||||
-## User enable and disable. This is entirely handled by pam.
|
||||
-
|
||||
-## Group add delete modify. This is covered by pam. However, someone could
|
||||
-## open a file and directly create or modify a user, so we'll watch group and
|
||||
-## gshadow for writes
|
||||
--a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
--a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
||||
--a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
||||
-
|
||||
-
|
||||
-## Use of special rights for config changes. This would be use of setuid
|
||||
-## programs that relate to user accts. This is not all setuid apps because
|
||||
-## requirements are only for ones that affect system configuration.
|
||||
--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-
|
||||
-## Privilege escalation via su or sudo. This is entirely handled by pam.
|
||||
-
|
||||
-## Watch for configuration changes to privilege escalation.
|
||||
--a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
|
||||
--a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
|
||||
-
|
||||
-## Audit log access
|
||||
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
||||
-## Attempts to Alter Process and Session Initiation Information
|
||||
--a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||||
--a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||||
--a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||||
-
|
||||
-## Attempts to modify MAC controls
|
||||
--a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
|
||||
-
|
||||
-## Software updates. This is entirely handled by rpm.
|
||||
-
|
||||
-## System start and shutdown. This is entirely handled by systemd
|
||||
-
|
||||
-## Kernel Module loading. This is handled in 43-module-load.rules
|
||||
-
|
||||
-## Application invocation. The requirements list an optional requirement
|
||||
-## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
|
||||
-## state results from that policy. This would be handled entirely by
|
||||
-## that daemon.
|
||||
-
|
@ -1,493 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
|
||||
index a0b3efcbf79..1bc7afbb224 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
|
||||
@@ -58,7 +58,7 @@ references:
|
||||
stigid@ol7: OL07-00-030410
|
||||
stigid@ol8: OL08-00-030540
|
||||
stigid@rhel7: RHEL-07-030420
|
||||
- stigid@rhel8: RHEL-08-030540
|
||||
+ stigid@rhel8: RHEL-08-030490
|
||||
stigid@sle12: SLES-12-020470
|
||||
stigid@sle15: SLES-15-030300
|
||||
stigid@ubuntu2004: UBTU-20-010153
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
|
||||
index 83dd57f2b6d..dc8211684f2 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
|
||||
@@ -58,7 +58,7 @@ references:
|
||||
stigid@ol7: OL07-00-030410
|
||||
stigid@ol8: OL08-00-030530
|
||||
stigid@rhel7: RHEL-07-030430
|
||||
- stigid@rhel8: RHEL-08-030530
|
||||
+ stigid@rhel8: RHEL-08-030490
|
||||
stigid@sle12: SLES-12-020480
|
||||
stigid@sle15: SLES-15-030310
|
||||
stigid@ubuntu2004: UBTU-20-010154
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
|
||||
index 1b78aab4a1a..07592bb2fd9 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
|
||||
@@ -61,7 +61,7 @@ references:
|
||||
stigid@ol7: OL07-00-030370
|
||||
stigid@ol8: OL08-00-030520
|
||||
stigid@rhel7: RHEL-07-030380
|
||||
- stigid@rhel8: RHEL-08-030520
|
||||
+ stigid@rhel8: RHEL-08-030480
|
||||
stigid@sle12: SLES-12-020430
|
||||
stigid@sle15: SLES-15-030260
|
||||
stigid@ubuntu2004: UBTU-20-010149
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
|
||||
index 360c60de06d..084970765b2 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
|
||||
@@ -58,7 +58,7 @@ references:
|
||||
stigid@ol7: OL07-00-030370
|
||||
stigid@ol8: OL08-00-030510
|
||||
stigid@rhel7: RHEL-07-030400
|
||||
- stigid@rhel8: RHEL-08-030510
|
||||
+ stigid@rhel8: RHEL-08-030480
|
||||
stigid@sle12: SLES-12-020450
|
||||
stigid@sle15: SLES-15-030280
|
||||
stigid@ubuntu2004: UBTU-20-010150
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
|
||||
index 19bf8a5b981..5695440ad7d 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
|
||||
@@ -75,7 +75,7 @@ references:
|
||||
stigid@ol7: OL07-00-030440
|
||||
stigid@ol8: OL08-00-030240
|
||||
stigid@rhel7: RHEL-07-030480
|
||||
- stigid@rhel8: RHEL-08-030240
|
||||
+ stigid@rhel8: RHEL-08-030200
|
||||
stigid@sle12: SLES-12-020410
|
||||
stigid@sle15: SLES-15-030210
|
||||
stigid@ubuntu2004: UBTU-20-010147
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
|
||||
index 40cd114042e..ab536a8ae0a 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
|
||||
@@ -70,7 +70,7 @@ references:
|
||||
stigid@ol7: OL07-00-030440
|
||||
stigid@ol8: OL08-00-030230
|
||||
stigid@rhel7: RHEL-07-030450
|
||||
- stigid@rhel8: RHEL-08-030230
|
||||
+ stigid@rhel8: RHEL-08-030200
|
||||
stigid@sle12: SLES-12-020380
|
||||
stigid@sle15: SLES-15-030230
|
||||
stigid@ubuntu2004: UBTU-20-010144
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
|
||||
index 81dddd9fb71..d1f4ee35ccb 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
|
||||
@@ -58,7 +58,7 @@ references:
|
||||
stigid@ol7: OL07-00-030370
|
||||
stigid@ol8: OL08-00-030500
|
||||
stigid@rhel7: RHEL-07-030390
|
||||
- stigid@rhel8: RHEL-08-030500
|
||||
+ stigid@rhel8: RHEL-08-030480
|
||||
stigid@sle12: SLES-12-020440
|
||||
stigid@sle15: SLES-15-030270
|
||||
stigid@ubuntu2004: UBTU-20-010151
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
|
||||
index fa15012b05f..a2425e373bc 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
|
||||
@@ -69,7 +69,7 @@ references:
|
||||
stigid@ol7: OL07-00-030440
|
||||
stigid@ol8: OL08-00-030220
|
||||
stigid@rhel7: RHEL-07-030460
|
||||
- stigid@rhel8: RHEL-08-030220
|
||||
+ stigid@rhel8: RHEL-08-030200
|
||||
stigid@sle15: SLES-15-030240
|
||||
stigid@ubuntu2004: UBTU-20-010143
|
||||
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
|
||||
index 6d15eecee2c..0be27fbe860 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
|
||||
@@ -74,7 +74,7 @@ references:
|
||||
stigid@ol7: OL07-00-030440
|
||||
stigid@ol8: OL08-00-030210
|
||||
stigid@rhel7: RHEL-07-030470
|
||||
- stigid@rhel8: RHEL-08-030210
|
||||
+ stigid@rhel8: RHEL-08-030200
|
||||
stigid@sle12: SLES-12-020390
|
||||
stigid@sle15: SLES-15-030190
|
||||
stigid@ubuntu2004: UBTU-20-010145
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
|
||||
index 6f7cea26e16..5dc13a0a43a 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
|
||||
@@ -70,7 +70,7 @@ references:
|
||||
stigid@ol7: OL07-00-030440
|
||||
stigid@ol8: OL08-00-030270
|
||||
stigid@rhel7: RHEL-07-030440
|
||||
- stigid@rhel8: RHEL-08-030270
|
||||
+ stigid@rhel8: RHEL-08-030200
|
||||
stigid@sle12: SLES-12-020370
|
||||
stigid@sle15: SLES-15-030220
|
||||
stigid@ubuntu2004: UBTU-20-010142
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
|
||||
index 718dcb8a9d9..120d6fa84d3 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
|
||||
@@ -52,7 +52,7 @@ references:
|
||||
stigid@ol7: OL07-00-030910
|
||||
stigid@ol8: OL08-00-030362
|
||||
stigid@rhel7: RHEL-07-030890
|
||||
- stigid@rhel8: RHEL-08-030362
|
||||
+ stigid@rhel8: RHEL-08-030361
|
||||
stigid@ubuntu2004: UBTU-20-010270
|
||||
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
|
||||
index 643f075f46a..4caa7c66986 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
|
||||
@@ -49,7 +49,7 @@ references:
|
||||
stigid@ol7: OL07-00-030910
|
||||
stigid@ol8: OL08-00-030363
|
||||
stigid@rhel7: RHEL-07-030900
|
||||
- stigid@rhel8: RHEL-08-030363
|
||||
+ stigid@rhel8: RHEL-08-030361
|
||||
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
|
||||
|
||||
{{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}}
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
|
||||
index 9cf3c4668bc..8fea9dc4582 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
|
||||
@@ -52,7 +52,7 @@ references:
|
||||
stigid@ol7: OL07-00-030910
|
||||
stigid@ol8: OL08-00-030364
|
||||
stigid@rhel7: RHEL-07-030910
|
||||
- stigid@rhel8: RHEL-08-030364
|
||||
+ stigid@rhel8: RHEL-08-030361
|
||||
stigid@ubuntu2004: UBTU-20-010267
|
||||
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
|
||||
index d0ebbdbd723..bee18e99b52 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
|
||||
@@ -52,7 +52,7 @@ references:
|
||||
stigid@ol7: OL07-00-030910
|
||||
stigid@ol8: OL08-00-030365
|
||||
stigid@rhel7: RHEL-07-030920
|
||||
- stigid@rhel8: RHEL-08-030365
|
||||
+ stigid@rhel8: RHEL-08-030361
|
||||
stigid@ubuntu2004: UBTU-20-010268
|
||||
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
||||
index 373b12525e1..736c6643b57 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
||||
@@ -63,7 +63,7 @@ references:
|
||||
stigid@ol7: OL07-00-030510
|
||||
stigid@ol8: OL08-00-030470
|
||||
stigid@rhel7: RHEL-07-030500
|
||||
- stigid@rhel8: RHEL-08-030470
|
||||
+ stigid@rhel8: RHEL-08-030420
|
||||
stigid@sle12: SLES-12-020520
|
||||
stigid@sle15: SLES-15-030160
|
||||
stigid@ubuntu2004: UBTU-20-010158
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
||||
index 2b2d82a736b..6b4176d53e3 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
||||
@@ -66,7 +66,7 @@ references:
|
||||
stigid@ol7: OL07-00-030510
|
||||
stigid@ol8: OL08-00-030460
|
||||
stigid@rhel7: RHEL-07-030550
|
||||
- stigid@rhel8: RHEL-08-030460
|
||||
+ stigid@rhel8: RHEL-08-030420
|
||||
stigid@sle12: SLES-12-020510
|
||||
stigid@sle15: SLES-15-030320
|
||||
stigid@ubuntu2004: UBTU-20-010157
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
|
||||
index dcb3d0f0525..90d45b6787e 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
|
||||
@@ -66,7 +66,7 @@ references:
|
||||
stigid@ol7: OL07-00-030510
|
||||
stigid@ol8: OL08-00-030440
|
||||
stigid@rhel7: RHEL-07-030510
|
||||
- stigid@rhel8: RHEL-08-030440
|
||||
+ stigid@rhel8: RHEL-08-030420
|
||||
stigid@sle12: SLES-12-020490
|
||||
stigid@sle15: SLES-15-030150
|
||||
stigid@ubuntu2004: UBTU-20-010155
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
||||
index e68d892bb90..6df936e489c 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
||||
@@ -60,7 +60,7 @@ references:
|
||||
stigid@ol7: OL07-00-030510
|
||||
stigid@ol8: OL08-00-030450
|
||||
stigid@rhel7: RHEL-07-030530
|
||||
- stigid@rhel8: RHEL-08-030450
|
||||
+ stigid@rhel8: RHEL-08-030420
|
||||
stigid@sle12: SLES-12-020540
|
||||
stigid@sle15: SLES-15-030180
|
||||
stigid@ubuntu2004: UBTU-20-010160
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
||||
index cd6bd545e71..1b6ae818e48 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
||||
@@ -66,7 +66,7 @@ references:
|
||||
stigid@ol7: OL07-00-030510
|
||||
stigid@ol8: OL08-00-030430
|
||||
stigid@rhel7: RHEL-07-030520
|
||||
- stigid@rhel8: RHEL-08-030430
|
||||
+ stigid@rhel8: RHEL-08-030420
|
||||
stigid@sle12: SLES-12-020530
|
||||
stigid@sle15: SLES-15-030170
|
||||
stigid@ubuntu2004: UBTU-20-010159
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
|
||||
index 50e5b4e4f02..2f1c6d0bf22 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
|
||||
@@ -51,7 +51,7 @@ references:
|
||||
stigid@ol7: OL07-00-030820
|
||||
stigid@ol8: OL08-00-030380
|
||||
stigid@rhel7: RHEL-07-030821
|
||||
- stigid@rhel8: RHEL-08-030380
|
||||
+ stigid@rhel8: RHEL-08-030360
|
||||
stigid@sle12: SLES-12-020740
|
||||
stigid@sle15: SLES-15-030530
|
||||
stigid@ubuntu2004: UBTU-20-010180
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index ffca983d0bd..d92bc72971c 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -560,6 +560,8 @@ selections:
|
||||
|
||||
# RHEL-08-020220
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
+
|
||||
+ # RHEL-08-020221
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
|
||||
# RHEL-08-020230
|
||||
@@ -712,18 +714,11 @@ selections:
|
||||
|
||||
# RHEL-08-030200
|
||||
- audit_rules_dac_modification_lremovexattr
|
||||
-
|
||||
- # RHEL-08-030210
|
||||
- audit_rules_dac_modification_removexattr
|
||||
-
|
||||
- # RHEL-08-030220
|
||||
- audit_rules_dac_modification_lsetxattr
|
||||
-
|
||||
- # RHEL-08-030230
|
||||
- audit_rules_dac_modification_fsetxattr
|
||||
-
|
||||
- # RHEL-08-030240
|
||||
- audit_rules_dac_modification_fremovexattr
|
||||
+ - audit_rules_dac_modification_setxattr
|
||||
|
||||
# RHEL-08-030250
|
||||
- audit_rules_privileged_commands_chage
|
||||
@@ -731,8 +726,6 @@ selections:
|
||||
# RHEL-08-030260
|
||||
- audit_rules_execution_chcon
|
||||
|
||||
- # RHEL-08-030270
|
||||
- - audit_rules_dac_modification_setxattr
|
||||
|
||||
# RHEL-08-030280
|
||||
- audit_rules_privileged_commands_ssh_agent
|
||||
@@ -787,28 +780,18 @@ selections:
|
||||
|
||||
# RHEL-08-030360
|
||||
- audit_rules_kernel_module_loading_init
|
||||
+ - audit_rules_kernel_module_loading_finit
|
||||
|
||||
# RHEL-08-030361
|
||||
- audit_rules_file_deletion_events_rename
|
||||
-
|
||||
- # RHEL-08-030362
|
||||
- audit_rules_file_deletion_events_renameat
|
||||
-
|
||||
- # RHEL-08-030363
|
||||
- audit_rules_file_deletion_events_rmdir
|
||||
-
|
||||
- # RHEL-08-030364
|
||||
- audit_rules_file_deletion_events_unlink
|
||||
-
|
||||
- # RHEL-08-030365
|
||||
- audit_rules_file_deletion_events_unlinkat
|
||||
|
||||
# RHEL-08-030370
|
||||
- audit_rules_privileged_commands_gpasswd
|
||||
|
||||
- # RHEL-08-030380
|
||||
- - audit_rules_kernel_module_loading_finit
|
||||
-
|
||||
# RHEL-08-030390
|
||||
- audit_rules_kernel_module_loading_delete
|
||||
|
||||
@@ -820,41 +803,21 @@ selections:
|
||||
|
||||
# RHEL-08-030420
|
||||
- audit_rules_unsuccessful_file_modification_truncate
|
||||
-
|
||||
- # RHEL-08-030430
|
||||
- audit_rules_unsuccessful_file_modification_openat
|
||||
-
|
||||
- # RHEL-08-030440
|
||||
- audit_rules_unsuccessful_file_modification_open
|
||||
-
|
||||
- # RHEL-08-030450
|
||||
- audit_rules_unsuccessful_file_modification_open_by_handle_at
|
||||
-
|
||||
- # RHEL-08-030460
|
||||
- audit_rules_unsuccessful_file_modification_ftruncate
|
||||
-
|
||||
- # RHEL-08-030470
|
||||
- audit_rules_unsuccessful_file_modification_creat
|
||||
|
||||
# RHEL-08-030480
|
||||
- audit_rules_dac_modification_chown
|
||||
-
|
||||
- # RHEL-08-030490
|
||||
- - audit_rules_dac_modification_chmod
|
||||
-
|
||||
- # RHEL-08-030500
|
||||
- audit_rules_dac_modification_lchown
|
||||
-
|
||||
- # RHEL-08-030510
|
||||
- audit_rules_dac_modification_fchownat
|
||||
-
|
||||
- # RHEL-08-030520
|
||||
- audit_rules_dac_modification_fchown
|
||||
|
||||
- # RHEL-08-030530
|
||||
+ # RHEL-08-030490
|
||||
+ - audit_rules_dac_modification_chmod
|
||||
- audit_rules_dac_modification_fchmodat
|
||||
-
|
||||
- # RHEL-08-030540
|
||||
- audit_rules_dac_modification_fchmod
|
||||
|
||||
# RHEL-08-030550
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index eb2cac913bd..42c6d0e9aca 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -561,6 +561,8 @@ selections:
|
||||
|
||||
# RHEL-08-020220
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
+
|
||||
+ # RHEL-08-020221
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
|
||||
# RHEL-08-020230
|
||||
@@ -713,18 +715,11 @@ selections:
|
||||
|
||||
# RHEL-08-030200
|
||||
- audit_rules_dac_modification_lremovexattr
|
||||
-
|
||||
- # RHEL-08-030210
|
||||
- audit_rules_dac_modification_removexattr
|
||||
-
|
||||
- # RHEL-08-030220
|
||||
- audit_rules_dac_modification_lsetxattr
|
||||
-
|
||||
- # RHEL-08-030230
|
||||
- audit_rules_dac_modification_fsetxattr
|
||||
-
|
||||
- # RHEL-08-030240
|
||||
- audit_rules_dac_modification_fremovexattr
|
||||
+ - audit_rules_dac_modification_setxattr
|
||||
|
||||
# RHEL-08-030250
|
||||
- audit_rules_privileged_commands_chage
|
||||
@@ -732,9 +727,6 @@ selections:
|
||||
# RHEL-08-030260
|
||||
- audit_rules_execution_chcon
|
||||
|
||||
- # RHEL-08-030270
|
||||
- - audit_rules_dac_modification_setxattr
|
||||
-
|
||||
# RHEL-08-030280
|
||||
- audit_rules_privileged_commands_ssh_agent
|
||||
|
||||
@@ -788,28 +780,18 @@ selections:
|
||||
|
||||
# RHEL-08-030360
|
||||
- audit_rules_kernel_module_loading_init
|
||||
+ - audit_rules_kernel_module_loading_finit
|
||||
|
||||
# RHEL-08-030361
|
||||
- audit_rules_file_deletion_events_rename
|
||||
-
|
||||
- # RHEL-08-030362
|
||||
- audit_rules_file_deletion_events_renameat
|
||||
-
|
||||
- # RHEL-08-030363
|
||||
- audit_rules_file_deletion_events_rmdir
|
||||
-
|
||||
- # RHEL-08-030364
|
||||
- audit_rules_file_deletion_events_unlink
|
||||
-
|
||||
- # RHEL-08-030365
|
||||
- audit_rules_file_deletion_events_unlinkat
|
||||
|
||||
# RHEL-08-030370
|
||||
- audit_rules_privileged_commands_gpasswd
|
||||
|
||||
- # RHEL-08-030380
|
||||
- - audit_rules_kernel_module_loading_finit
|
||||
-
|
||||
# RHEL-08-030390
|
||||
- audit_rules_kernel_module_loading_delete
|
||||
|
||||
@@ -821,41 +803,21 @@ selections:
|
||||
|
||||
# RHEL-08-030420
|
||||
- audit_rules_unsuccessful_file_modification_truncate
|
||||
-
|
||||
- # RHEL-08-030430
|
||||
- audit_rules_unsuccessful_file_modification_openat
|
||||
-
|
||||
- # RHEL-08-030440
|
||||
- audit_rules_unsuccessful_file_modification_open
|
||||
-
|
||||
- # RHEL-08-030450
|
||||
- audit_rules_unsuccessful_file_modification_open_by_handle_at
|
||||
-
|
||||
- # RHEL-08-030460
|
||||
- audit_rules_unsuccessful_file_modification_ftruncate
|
||||
-
|
||||
- # RHEL-08-030470
|
||||
- audit_rules_unsuccessful_file_modification_creat
|
||||
|
||||
# RHEL-08-030480
|
||||
- audit_rules_dac_modification_chown
|
||||
-
|
||||
- # RHEL-08-030490
|
||||
- - audit_rules_dac_modification_chmod
|
||||
-
|
||||
- # RHEL-08-030500
|
||||
- audit_rules_dac_modification_lchown
|
||||
-
|
||||
- # RHEL-08-030510
|
||||
- audit_rules_dac_modification_fchownat
|
||||
-
|
||||
- # RHEL-08-030520
|
||||
- audit_rules_dac_modification_fchown
|
||||
|
||||
- # RHEL-08-030530
|
||||
+ # RHEL-08-030490
|
||||
+ - audit_rules_dac_modification_chmod
|
||||
- audit_rules_dac_modification_fchmodat
|
||||
-
|
||||
- # RHEL-08-030540
|
||||
- audit_rules_dac_modification_fchmod
|
||||
|
||||
# RHEL-08-030550
|
@ -1,375 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..1c151a1ec1a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv
|
||||
+
|
||||
+if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then
|
||||
+ sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..24fdbe4c1d4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml
|
||||
@@ -0,0 +1,19 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="set_password_hashing_algorithm_passwordauth" version="1">
|
||||
+ {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/password-auth.") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion test_ref="test_pam_unix_passwordauth_sha512" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/password-auth for correct settings" id="test_pam_unix_passwordauth_sha512" version="1">
|
||||
+ <ind:object object_ref="object_pam_unix_passwordauth_sha512" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object comment="check /etc/pam.d/password-auth for correct settings" id="object_pam_unix_passwordauth_sha512" version="1">
|
||||
+ <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..9375269161d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
|
||||
@@ -0,0 +1,72 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,rhel7,rhel8,rhel9,rhv4
|
||||
+
|
||||
+title: "Set PAM's Password Hashing Algorithm - password-auth"
|
||||
+
|
||||
+description: |-
|
||||
+ The PAM system service can be configured to only store encrypted
|
||||
+ representations of passwords. In
|
||||
+ <tt>/etc/pam.d/password-auth</tt>,
|
||||
+ the
|
||||
+ <tt>password</tt> section of the file controls which PAM modules execute
|
||||
+ during a password change. Set the <tt>pam_unix.so</tt> module in the
|
||||
+ <tt>password</tt> section to include the argument <tt>sha512</tt>, as shown
|
||||
+ below:
|
||||
+ <br />
|
||||
+ <pre>password sufficient pam_unix.so sha512 <i>other arguments...</i></pre>
|
||||
+ <br />
|
||||
+ This will help ensure when local users change their passwords, hashes for
|
||||
+ the new passwords will be generated using the SHA-512 algorithm. This is
|
||||
+ the default.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Passwords need to be protected at all times, and encryption is the standard
|
||||
+ method for protecting passwords. If passwords are not encrypted, they can
|
||||
+ be plainly read (i.e., clear text) and easily compromised. Passwords that
|
||||
+ are encrypted with a weak algorithm are no more protected than if they are
|
||||
+ kepy in plain text.
|
||||
+ <br /><br />
|
||||
+ This setting ensures user and group account administration utilities are
|
||||
+ configured to store only encrypted representations of passwords.
|
||||
+ Additionally, the <tt>crypt_style</tt> configuration option ensures the use
|
||||
+ of a strong hashing algorithm that makes password cracking attacks more
|
||||
+ difficult.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-85943-9
|
||||
+ cce@rhel8: CCE-85945-4
|
||||
+ cce@rhel9: CCE-85946-2
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R32)
|
||||
+ cis-csc: 1,12,15,16,5
|
||||
+ cis@rhel7: 5.4.3
|
||||
+ cis@rhel8: 5.4.4
|
||||
+ cjis: 5.6.2.2
|
||||
+ cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
|
||||
+ cui: 3.13.11
|
||||
+ disa: CCI-000196
|
||||
+ isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
|
||||
+ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
|
||||
+ ism: 0418,1055,1402
|
||||
+ iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
|
||||
+ nist: IA-5(c),IA-5(1)(c),CM-6(a)
|
||||
+ nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
|
||||
+ pcidss: Req-8.2.1
|
||||
+ srg: SRG-OS-000073-GPOS-00041
|
||||
+ stigid@rhel7: RHEL-07-010200
|
||||
+ stigid@rhel8: RHEL-08-010160
|
||||
+ vmmsrg: SRG-OS-000480-VMM-002000
|
||||
+
|
||||
+ocil_clause: 'it does not'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Inspect the <tt>password</tt> section of <tt>/etc/pam.d/password-auth</tt>
|
||||
+ and ensure that the <tt>pam_unix.so</tt> module includes the argument
|
||||
+ <tt>sha512</tt>:
|
||||
+ <pre>$ grep sha512 /etc/pam.d/password-auth</pre>
|
||||
+
|
||||
+platform: pam
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..a924fe5bd97
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then
|
||||
+ sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..68e925a645f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/sha512//g" "/etc/pam.d/password-auth"
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
|
||||
index 542ea521a6c..e7503feeecb 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
|
||||
@@ -1,7 +1,9 @@
|
||||
-# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
||||
+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
AUTH_FILES[0]="/etc/pam.d/system-auth"
|
||||
+{{%- if product == "rhel7" %}}
|
||||
AUTH_FILES[1]="/etc/pam.d/password-auth"
|
||||
+{{%- endif %}}
|
||||
|
||||
for pamFile in "${AUTH_FILES[@]}"
|
||||
do
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
|
||||
index d76b6f80c0c..a754a84df6c 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
|
||||
@@ -3,6 +3,9 @@
|
||||
{{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}}
|
||||
<criteria operator="AND">
|
||||
<criterion test_ref="test_pam_unix_sha512" />
|
||||
+ {{%- if product == "rhel7" %}}
|
||||
+ <extend_definition comment="check /etc/pam.d/password-auth for correct settings" definition_ref="set_password_hashing_algorithm_passwordauth" />
|
||||
+ {{%- endif %}}
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
||||
index 13da9dd4086..59fb48e93b5 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
||||
@@ -70,7 +70,7 @@ references:
|
||||
stigid@ol7: OL07-00-010200
|
||||
stigid@ol8: OL08-00-010160
|
||||
stigid@rhel7: RHEL-07-010200
|
||||
- stigid@rhel8: RHEL-08-010160
|
||||
+ stigid@rhel8: RHEL-08-010159
|
||||
stigid@sle12: SLES-12-010230
|
||||
stigid@sle15: SLES-15-020170
|
||||
vmmsrg: SRG-OS-000480-VMM-002000
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
|
||||
index 7e481760670..fb9feec4d27 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
|
||||
@@ -1,7 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
AUTH_FILES[0]="/etc/pam.d/system-auth"
|
||||
+{{%- if product == "rhel7" %}}
|
||||
AUTH_FILES[1]="/etc/pam.d/password-auth"
|
||||
+{{%- endif %}}
|
||||
|
||||
for pamFile in "${AUTH_FILES[@]}"
|
||||
do
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
|
||||
index 09bb82dd1d7..2f35381d475 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
|
||||
@@ -1,7 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
AUTH_FILES[0]="/etc/pam.d/system-auth"
|
||||
+{{%- if product == "rhel7" %}}
|
||||
AUTH_FILES[1]="/etc/pam.d/password-auth"
|
||||
+{{%- endif %}}
|
||||
|
||||
for pamFile in "${AUTH_FILES[@]}"
|
||||
do
|
||||
diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
|
||||
index 3ada8e6fe49..4df21f4ae6e 100644
|
||||
--- a/products/rhel8/profiles/pci-dss.profile
|
||||
+++ b/products/rhel8/profiles/pci-dss.profile
|
||||
@@ -126,6 +126,7 @@ selections:
|
||||
- service_pcscd_enabled
|
||||
- sssd_enable_smartcards
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- file_owner_etc_shadow
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
||||
index 15abd98a6a5..7188062df72 100644
|
||||
--- a/products/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/products/rhel8/profiles/rht-ccp.profile
|
||||
@@ -54,6 +54,7 @@ selections:
|
||||
- accounts_password_pam_difok
|
||||
- accounts_passwords_pam_faillock_deny
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- require_singleuser_auth
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 04f158116ee..8d69bb48d38 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -149,6 +149,9 @@ selections:
|
||||
# RHEL-08-010152
|
||||
- require_emergency_target_auth
|
||||
|
||||
+ # RHEL-08-010159
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
+
|
||||
# RHEL-08-010160
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
|
||||
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
|
||||
index beb1acda31d..1e4044f4e7e 100644
|
||||
--- a/products/rhel9/profiles/pci-dss.profile
|
||||
+++ b/products/rhel9/profiles/pci-dss.profile
|
||||
@@ -123,6 +123,7 @@ selections:
|
||||
- service_pcscd_enabled
|
||||
- sssd_enable_smartcards
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- file_owner_etc_shadow
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index 8f79b22e3e4..b9f557de030 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -150,6 +150,9 @@ selections:
|
||||
# RHEL-08-010152
|
||||
- require_emergency_target_auth
|
||||
|
||||
+ # RHEL-08-010159
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
+
|
||||
# RHEL-08-010160
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
|
||||
diff --git a/products/rhv4/profiles/pci-dss.profile b/products/rhv4/profiles/pci-dss.profile
|
||||
index c4ed0ec2d48..d00f44996d8 100644
|
||||
--- a/products/rhv4/profiles/pci-dss.profile
|
||||
+++ b/products/rhv4/profiles/pci-dss.profile
|
||||
@@ -121,6 +121,7 @@ selections:
|
||||
- service_pcscd_enabled
|
||||
- sssd_enable_smartcards
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- file_owner_etc_shadow
|
||||
diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile
|
||||
index 01c2fd8cc2d..9cf416665ab 100644
|
||||
--- a/products/rhv4/profiles/rhvh-stig.profile
|
||||
+++ b/products/rhv4/profiles/rhvh-stig.profile
|
||||
@@ -356,6 +356,7 @@ selections:
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- package_opensc_installed
|
||||
- var_smartcard_drivers=cac
|
||||
- configure_opensc_card_drivers
|
||||
diff --git a/products/rhv4/profiles/rhvh-vpp.profile b/products/rhv4/profiles/rhvh-vpp.profile
|
||||
index c2b6c106937..e66fe435508 100644
|
||||
--- a/products/rhv4/profiles/rhvh-vpp.profile
|
||||
+++ b/products/rhv4/profiles/rhvh-vpp.profile
|
||||
@@ -201,6 +201,7 @@ selections:
|
||||
- accounts_password_pam_unix_remember
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- no_empty_passwords
|
||||
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 3f6ec5e17c4..4aa925037b1 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -53,9 +53,6 @@ CCE-85939-7
|
||||
CCE-85940-5
|
||||
CCE-85941-3
|
||||
CCE-85942-1
|
||||
-CCE-85943-9
|
||||
-CCE-85945-4
|
||||
-CCE-85946-2
|
||||
CCE-85947-0
|
||||
CCE-85948-8
|
||||
CCE-85949-6
|
||||
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
index f58bcf91cf2..e235d492438 100644
|
||||
--- a/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
@@ -1,5 +1,9 @@
|
||||
+title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
|
||||
description: Ensures PCI-DSS v3.2.1 security configuration settings are applied.
|
||||
-documentation_complete: true
|
||||
+extends: null
|
||||
+metadata:
|
||||
+ SMEs:
|
||||
+ - yuumasato
|
||||
reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
|
||||
selections:
|
||||
- account_disable_post_pw_expiration
|
||||
@@ -120,6 +124,7 @@ selections:
|
||||
- service_pcscd_enabled
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
+- set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
- sshd_set_idle_timeout
|
||||
- sshd_set_keepalive_0
|
||||
@@ -136,4 +141,8 @@ selections:
|
||||
- var_multiple_time_servers=rhel
|
||||
- var_sshd_set_keepalive=0
|
||||
- var_smartcard_drivers=cac
|
||||
-title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
|
||||
+platforms: !!set {}
|
||||
+cpe_names: !!set {}
|
||||
+platform: null
|
||||
+filter_rules: ''
|
||||
+documentation_complete: true
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index ed739e724f4..c5fcbf47de2 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -336,6 +337,7 @@ selections:
|
||||
- service_systemd-coredump_disabled
|
||||
- service_usbguard_enabled
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
+- set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
- sshd_disable_compression
|
||||
- sshd_disable_empty_passwords
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 56c3fcb9f59..49ec4ae41ac 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -347,6 +348,7 @@ selections:
|
||||
- service_systemd-coredump_disabled
|
||||
- service_usbguard_enabled
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
+- set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
- sshd_disable_compression
|
||||
- sshd_disable_empty_passwords
|
@ -1,397 +0,0 @@
|
||||
From 742e103392746dac771663247d169cfe498ee658 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 21 Jan 2022 14:02:16 +0100
|
||||
Subject: [PATCH 1/7] modify vsyscall rules according to rhel9 ospp
|
||||
|
||||
add references
|
||||
make rules scored in th e profile
|
||||
---
|
||||
.../system/bootloader-grub2/grub2_vsyscall_argument/rule.yml | 1 +
|
||||
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 3 +++
|
||||
products/rhel9/profiles/ospp.profile | 4 ----
|
||||
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
index 1dd26fea9b6..9f38a1c13b9 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
@@ -25,6 +25,7 @@ identifiers:
|
||||
references:
|
||||
disa: CCI-001084
|
||||
nist: CM-7(a)
|
||||
+ ospp: FPT_ASLR_EXT.1
|
||||
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068
|
||||
stigid@ol8: OL08-00-010422
|
||||
stigid@rhel8: RHEL-08-010422
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
index 52b192ffc52..9d645c8876e 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
@@ -21,6 +21,9 @@ identifiers:
|
||||
cce@rhel8: CCE-83381-4
|
||||
cce@rhel9: CCE-84100-7
|
||||
|
||||
+references:
|
||||
+ ospp: FPT_ASLR_EXT.1
|
||||
+
|
||||
ocil_clause: 'vsyscalls are enabled'
|
||||
|
||||
ocil: |-
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index 287a28c43c5..f0b850a4ced 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -128,8 +128,6 @@ selections:
|
||||
- grub2_slub_debug_argument
|
||||
- grub2_page_poison_argument
|
||||
- grub2_vsyscall_argument
|
||||
- - grub2_vsyscall_argument.role=unscored
|
||||
- - grub2_vsyscall_argument.severity=info
|
||||
- grub2_pti_argument
|
||||
- grub2_kernel_trust_cpu_rng
|
||||
|
||||
@@ -421,5 +419,3 @@ selections:
|
||||
- zipl_slub_debug_argument
|
||||
- zipl_page_poison_argument
|
||||
- zipl_vsyscall_argument
|
||||
- - zipl_vsyscall_argument.role=unscored
|
||||
- - zipl_vsyscall_argument.severity=info
|
||||
|
||||
From d167658d46accbc75200a5d145a746322f1c2d4a Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 21 Jan 2022 14:05:24 +0100
|
||||
Subject: [PATCH 2/7] add ospp references to fips rules
|
||||
|
||||
---
|
||||
.../software/integrity/fips/enable_dracut_fips_module/rule.yml | 1 +
|
||||
.../system/software/integrity/fips/enable_fips_mode/rule.yml | 2 +-
|
||||
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
|
||||
index f342b9b8d95..3b7c3229b6f 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
|
||||
@@ -29,6 +29,7 @@ references:
|
||||
ism: "1446"
|
||||
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
|
||||
nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
|
||||
+ ospp: FCS_RBG_EXT.1
|
||||
srg: SRG-OS-000478-GPOS-00223
|
||||
stigid@ol8: OL08-00-010020
|
||||
stigid@rhel8: RHEL-08-010020
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
||||
index 7559e61600d..9d89114b07f 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
||||
@@ -39,7 +39,7 @@ references:
|
||||
ism: "1446"
|
||||
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
|
||||
nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
|
||||
- ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
|
||||
+ ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1,FCS_RBG_EXT.1
|
||||
srg: SRG-OS-000478-GPOS-00223,SRG-OS-000396-GPOS-00176
|
||||
stigid@ol8: OL08-00-010020
|
||||
stigid@rhel8: RHEL-08-010020
|
||||
|
||||
From f05e895bb96b64a5142e62e3dd0f7208633d5c23 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 21 Jan 2022 14:08:36 +0100
|
||||
Subject: [PATCH 3/7] drop no longer needed rules from ospp rhel9 profile
|
||||
|
||||
---
|
||||
products/rhel9/profiles/ospp.profile | 6 ------
|
||||
1 file changed, 6 deletions(-)
|
||||
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index f0b850a4ced..7e30054bc98 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -125,11 +125,7 @@ selections:
|
||||
## Boot prompt
|
||||
- grub2_audit_argument
|
||||
- grub2_audit_backlog_limit_argument
|
||||
- - grub2_slub_debug_argument
|
||||
- - grub2_page_poison_argument
|
||||
- grub2_vsyscall_argument
|
||||
- - grub2_pti_argument
|
||||
- - grub2_kernel_trust_cpu_rng
|
||||
|
||||
## Security Settings
|
||||
- sysctl_kernel_kptr_restrict
|
||||
@@ -416,6 +412,4 @@ selections:
|
||||
- zipl_bootmap_is_up_to_date
|
||||
- zipl_audit_argument
|
||||
- zipl_audit_backlog_limit_argument
|
||||
- - zipl_slub_debug_argument
|
||||
- - zipl_page_poison_argument
|
||||
- zipl_vsyscall_argument
|
||||
|
||||
From 972ae269eff95de8a6914056d38e58b7aeafb8c3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 21 Jan 2022 15:12:46 +0100
|
||||
Subject: [PATCH 4/7] add grub2_init_on_alloc rule
|
||||
|
||||
---
|
||||
.../grub2_init_on_alloc_argument/rule.yml | 46 +++++++++++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
2 files changed, 46 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..592e2fb117d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||||
@@ -0,0 +1,46 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel9
|
||||
+
|
||||
+title: 'Configure kernel to zero out memory before allocation (through Grub2)'
|
||||
+
|
||||
+description: |-
|
||||
+ To configure the kernel to zero out memory before allocating it, add the
|
||||
+ <tt>init_on_alloc=1</tt> argument to the default GRUB 2 command line for
|
||||
+ the Linux operating system in <tt>/etc/default/grub</tt>, in the manner
|
||||
+ below:
|
||||
+ <pre>GRUB_CMDLINE_LINUX="crashkernel=auto quiet rd.shell=0 audit=1 audit_backlog_limit=8192 init_on_alloc=1"</pre>
|
||||
+ Update the boot parameter for existing kernels by running the following command:
|
||||
+ <pre># grubby --update-kernel=ALL --args="init_on_alloc=1"</pre>
|
||||
+
|
||||
+rationale: |-
|
||||
+ When the kernel configuration option <tt>init_on_alloc</tt> is enabled,
|
||||
+ all page allocator and slab allocator memory will be zeroed when allocated,
|
||||
+ eliminating many kinds of "uninitialized heap memory" flaws, effectively
|
||||
+ preventing data leaks.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel9: CCE-85867-0
|
||||
+
|
||||
+ocil_clause: 'the kernel is not configured to zero out memory before allocation'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Make sure that the kernel is configured to zero out memory before
|
||||
+ allocation. Ensure that the parameter is configured in
|
||||
+ <tt>/etc/default/grub</tt>:
|
||||
+ <pre>grep GRUB_CMDLINE_LINUX /etc/default/grub</pre>
|
||||
+ The output should contain <tt>init_on_alloc=1</tt>.
|
||||
+ Run the following command to display command line parameters of all
|
||||
+ installed kernels:
|
||||
+ <pre># grubby --info=ALL | grep args</pre>
|
||||
+ Ensure that each line contains the <tt>init_on_alloc=1</tt> parameter.
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: grub2_bootloader_argument
|
||||
+ vars:
|
||||
+ arg_name: init_on_alloc
|
||||
+ arg_value: '1'
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 8aad24b20f7..6835189cd99 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -1,4 +1,3 @@
|
||||
-CCE-85867-0
|
||||
CCE-85868-8
|
||||
CCE-85872-0
|
||||
CCE-85873-8
|
||||
|
||||
From a865514257c85d79aaf7e4286d8723aa1ad8de03 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 24 Jan 2022 10:01:23 +0100
|
||||
Subject: [PATCH 5/7] add zipl_init_on_alloc_argument rule
|
||||
|
||||
---
|
||||
.../zipl_init_on_alloc_argument/rule.yml | 41 +++++++++++++++++++
|
||||
.../tests/correct_option.pass.sh | 15 +++++++
|
||||
.../tests/missing_in_cmdline.fail.sh | 13 ++++++
|
||||
.../tests/missing_in_entry.fail.sh | 13 ++++++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
5 files changed, 82 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..b47a7757327
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
|
||||
@@ -0,0 +1,41 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel9
|
||||
+
|
||||
+title: 'Configure kernel to zero out memory before allocation (through zIPl)'
|
||||
+
|
||||
+description: |-
|
||||
+ To ensure that the kernel is configured to zero out memory before
|
||||
+ allocation, check that all boot entries in
|
||||
+ <tt>/boot/loader/entries/*.conf</tt> have <tt>init_on_alloc=1</tt>
|
||||
+ included in its options.<br />
|
||||
+
|
||||
+ To ensure that new kernels and boot entries continue to zero out memory
|
||||
+ before allocation, add <tt>init_on_alloc=1</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ When the kernel configuration option <tt>init_on_alloc</tt> is enabled,
|
||||
+ all page allocator and slab allocator memory will be zeroed when allocated,
|
||||
+ eliminating many kinds of "uninitialized heap memory" flaws, effectively
|
||||
+ preventing data leaks.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel9: CCE-85868-8
|
||||
+
|
||||
+ocil_clause: 'the kernel is not configured to zero out memory before allocation'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check that the kernel is configured to zero out memory before allocation
|
||||
+ time, check all boot entries with following command:
|
||||
+ <pre>sudo grep -L"^options\s+.*\binit_on_alloc=1\b" /boot/loader/entries/*.conf</pre>
|
||||
+ No line should be returned, each line returned is a boot entry that doesn't enable audit.
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: zipl_bls_entries_option
|
||||
+ vars:
|
||||
+ arg_name: init_on_alloc
|
||||
+ arg_value: '1'
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..50cf1b78f70
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh
|
||||
@@ -0,0 +1,15 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
|
||||
+
|
||||
+# Make sure boot loader entries contain init_on_alloc=1
|
||||
+for file in /boot/loader/entries/*.conf
|
||||
+do
|
||||
+ if ! grep -q '^options.*init_on_alloc=1.*$' "$file" ; then
|
||||
+ sed -i '/^options / s/$/ init_on_alloc=1/' "$file"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+# Make sure /etc/kernel/cmdline contains init_on_alloc=1
|
||||
+if ! grep -qs '^(.*\s)?init_on_alloc=1(\s.*)?$' /etc/kernel/cmdline ; then
|
||||
+ echo "init_on_alloc=1" >> /etc/kernel/cmdline
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..7c0d9154776
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
|
||||
+
|
||||
+# Make sure boot loader entries contain init_on_alloc=1
|
||||
+for file in /boot/loader/entries/*.conf
|
||||
+do
|
||||
+ if ! grep -q '^options.*init_on_alloc=1.*$' "$file" ; then
|
||||
+ sed -i '/^options / s/$/ init_on_alloc=1/' "$file"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+# Make sure /etc/kernel/cmdline doesn't contain init_on_alloc=1
|
||||
+sed -Ei 's/(^.*)init_on_alloc=1(.*?)$/\1\2/' /etc/kernel/cmdline || true
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..9d330c9192d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
|
||||
+
|
||||
+# Remove init_on_alloc=1 from all boot entries
|
||||
+sed -Ei 's/(^options.*\s)init_on_alloc=1(.*?)$/\1\2/' /boot/loader/entries/*
|
||||
+# But make sure one boot loader entry contains init_on_alloc=1
|
||||
+sed -i '/^options / s/$/ init_on_alloc=1/' /boot/loader/entries/*rescue.conf
|
||||
+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
|
||||
+
|
||||
+# Make sure /etc/kernel/cmdline contains init_on_alloc=1
|
||||
+if ! grep -qs '^(.*\s)?init_on_alloc=1(\s.*)?$' /etc/kernel/cmdline ; then
|
||||
+ echo "init_on_alloc=1" >> /etc/kernel/cmdline
|
||||
+fi
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 6835189cd99..05a641aeaf0 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -1,4 +1,3 @@
|
||||
-CCE-85868-8
|
||||
CCE-85872-0
|
||||
CCE-85873-8
|
||||
CCE-85874-6
|
||||
|
||||
From 9ca5ec04e734941b1c401369b6da6672b42824b1 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 24 Jan 2022 10:07:24 +0100
|
||||
Subject: [PATCH 6/7] add new rules to rhel9 ospp
|
||||
|
||||
---
|
||||
products/rhel9/profiles/ospp.profile | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index 7e30054bc98..28c7e92d298 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -126,6 +126,7 @@ selections:
|
||||
- grub2_audit_argument
|
||||
- grub2_audit_backlog_limit_argument
|
||||
- grub2_vsyscall_argument
|
||||
+ - grub2_init_on_alloc_argument
|
||||
|
||||
## Security Settings
|
||||
- sysctl_kernel_kptr_restrict
|
||||
@@ -413,3 +414,4 @@ selections:
|
||||
- zipl_audit_argument
|
||||
- zipl_audit_backlog_limit_argument
|
||||
- zipl_vsyscall_argument
|
||||
+ - zipl_init_on_alloc_argument
|
||||
|
||||
From 42a118bcc615051ae4cd268a5fc758aa5d75108d Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 27 Jan 2022 14:08:20 +0100
|
||||
Subject: [PATCH 7/7] make rule names consistent
|
||||
|
||||
---
|
||||
.../bootloader-grub2/grub2_init_on_alloc_argument/rule.yml | 2 +-
|
||||
.../system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||||
index 592e2fb117d..a9253c74cc6 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||||
@@ -2,7 +2,7 @@ documentation_complete: true
|
||||
|
||||
prodtype: rhel9
|
||||
|
||||
-title: 'Configure kernel to zero out memory before allocation (through Grub2)'
|
||||
+title: 'Configure kernel to zero out memory before allocation'
|
||||
|
||||
description: |-
|
||||
To configure the kernel to zero out memory before allocating it, add the
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
|
||||
index b47a7757327..fa272250a28 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
|
||||
@@ -2,7 +2,7 @@ documentation_complete: true
|
||||
|
||||
prodtype: rhel9
|
||||
|
||||
-title: 'Configure kernel to zero out memory before allocation (through zIPl)'
|
||||
+title: 'Configure kernel to zero out memory before allocation in zIPL'
|
||||
|
||||
description: |-
|
||||
To ensure that the kernel is configured to zero out memory before
|
@ -1,155 +0,0 @@
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index ff3736711dd..5c3d5f34ea8 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -72,6 +72,7 @@ controls:
|
||||
SELinux policies limit the privileges of services and daemons to only what they require.
|
||||
rules:
|
||||
- selinux_state
|
||||
+ - var_selinux_state=enforcing
|
||||
|
||||
- id: R4
|
||||
levels:
|
||||
diff --git a/products/rhel8/profiles/anssi_bp28_enhanced.profile b/products/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 2a49527c10a..8f2ee31493b 100644
|
||||
--- a/products/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/products/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -17,4 +17,3 @@ description: |-
|
||||
|
||||
selections:
|
||||
- anssi:all:enhanced
|
||||
- - '!selinux_state'
|
||||
diff --git a/products/rhel9/profiles/anssi_bp28_enhanced.profile b/products/rhel9/profiles/anssi_bp28_enhanced.profile
|
||||
index 89e0d260390..da048c9b556 100644
|
||||
--- a/products/rhel9/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/products/rhel9/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -17,4 +17,3 @@ description: |-
|
||||
|
||||
selections:
|
||||
- anssi:all:enhanced
|
||||
- - '!selinux_state'
|
||||
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||
index 2e60ec43532..b201c495b8d 100644
|
||||
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||
@@ -42,3 +42,29 @@ controls:
|
||||
rules:
|
||||
- var_password_pam_minlen=2
|
||||
- var_some_variable=3
|
||||
+
|
||||
+ # S5, S6 and S7 are used to test if level inheritance is working corectly
|
||||
+ # when multiple levels select the same rule
|
||||
+ - id: S5
|
||||
+ title: Default Crypto Policy
|
||||
+ levels:
|
||||
+ - low
|
||||
+ rules:
|
||||
+ - configure_crypto_policy
|
||||
+ - var_system_crypto_policy=default_policy
|
||||
+
|
||||
+ - id: S6
|
||||
+ title: FIPS Crypto Policy
|
||||
+ levels:
|
||||
+ - medium
|
||||
+ rules:
|
||||
+ - configure_crypto_policy
|
||||
+ - var_system_crypto_policy=fips
|
||||
+
|
||||
+ - id: S7
|
||||
+ title: Future Crypto Policy
|
||||
+ levels:
|
||||
+ - high
|
||||
+ rules:
|
||||
+ - configure_crypto_policy
|
||||
+ - var_system_crypto_policy=future
|
||||
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
|
||||
index d3d6280042a..fb569280736 100644
|
||||
--- a/tests/unit/ssg-module/test_controls.py
|
||||
+++ b/tests/unit/ssg-module/test_controls.py
|
||||
@@ -92,6 +92,20 @@ def test_controls_levels():
|
||||
c_4b = controls_manager.get_control("abcd-levels", "S4.b")
|
||||
assert c_4b.levels == ["high"]
|
||||
|
||||
+ c_5 = controls_manager.get_control("abcd-levels", "S5")
|
||||
+ assert c_5.levels == ["low"]
|
||||
+
|
||||
+ c_6 = controls_manager.get_control("abcd-levels", "S6")
|
||||
+ assert c_6.levels == ["medium"]
|
||||
+
|
||||
+ c_7 = controls_manager.get_control("abcd-levels", "S7")
|
||||
+ assert c_7.levels == ["high"]
|
||||
+
|
||||
+ # test if all crypto-policy controls have the rule selected
|
||||
+ assert "configure_crypto_policy" in c_5.selections
|
||||
+ assert "configure_crypto_policy" in c_6.selections
|
||||
+ assert "configure_crypto_policy" in c_7.selections
|
||||
+
|
||||
# just the essential controls
|
||||
low_controls = controls_manager.get_all_controls_of_level(
|
||||
"abcd-levels", "low")
|
||||
@@ -104,25 +118,34 @@ def test_controls_levels():
|
||||
|
||||
assert len(high_controls) == len(all_controls)
|
||||
assert len(low_controls) <= len(high_controls)
|
||||
- assert len(low_controls) == 4
|
||||
- assert len(medium_controls) == 5
|
||||
+ assert len(low_controls) == 5
|
||||
+ assert len(medium_controls) == 7
|
||||
|
||||
# test overriding of variables in levels
|
||||
assert c_2.variables["var_password_pam_minlen"] == "1"
|
||||
assert "var_password_pam_minlen" not in c_3.variables.keys()
|
||||
assert c_4b.variables["var_password_pam_minlen"] == "2"
|
||||
|
||||
+ variable_found = False
|
||||
for c in low_controls:
|
||||
if "var_password_pam_minlen" in c.variables.keys():
|
||||
+ variable_found = True
|
||||
assert c.variables["var_password_pam_minlen"] == "1"
|
||||
+ assert variable_found
|
||||
|
||||
+ variable_found = False
|
||||
for c in medium_controls:
|
||||
if "var_password_pam_minlen" in c.variables.keys():
|
||||
+ variable_found = True
|
||||
assert c.variables["var_password_pam_minlen"] == "1"
|
||||
+ assert variable_found
|
||||
|
||||
+ variable_found = False
|
||||
for c in high_controls:
|
||||
if "var_password_pam_minlen" in c.variables.keys():
|
||||
+ variable_found = True
|
||||
assert c.variables["var_password_pam_minlen"] == "2"
|
||||
+ assert variable_found
|
||||
|
||||
# now test if controls of lower level has the variable definition correctly removed
|
||||
# because it is overriden by higher level controls
|
||||
@@ -141,6 +164,28 @@ def test_controls_levels():
|
||||
assert s2_low[0].variables["var_some_variable"] == "1"
|
||||
assert s2_low[0].variables["var_password_pam_minlen"] == "1"
|
||||
|
||||
+ # check that low, medium and high levels have crypto policy selected
|
||||
+ s5_low = [c for c in low_controls if c.id == "S5"]
|
||||
+ assert len(s5_low) == 1
|
||||
+ assert "configure_crypto_policy" in s5_low[0].selections
|
||||
+
|
||||
+ s5_medium = [c for c in medium_controls if c.id == "S5"]
|
||||
+ assert len(s5_medium) == 1
|
||||
+ assert "configure_crypto_policy" in s5_medium[0].selections
|
||||
+ s6_medium = [c for c in medium_controls if c.id == "S6"]
|
||||
+ assert len(s6_medium) == 1
|
||||
+ assert "configure_crypto_policy" in s6_medium[0].selections
|
||||
+
|
||||
+ s5_high = [c for c in high_controls if c.id == "S5"]
|
||||
+ assert len(s5_high) == 1
|
||||
+ assert "configure_crypto_policy" in s5_high[0].selections
|
||||
+ s6_high = [c for c in high_controls if c.id == "S6"]
|
||||
+ assert len(s6_high) == 1
|
||||
+ assert "configure_crypto_policy" in s6_high[0].selections
|
||||
+ s7_high = [c for c in high_controls if c.id == "S7"]
|
||||
+ assert len(s7_high) == 1
|
||||
+ assert "configure_crypto_policy" in s7_high[0].selections
|
||||
+
|
||||
|
||||
def test_controls_load_product():
|
||||
product_yaml = os.path.join(ssg_root, "products", "rhel8", "product.yml")
|
@ -1,163 +0,0 @@
|
||||
From 573ae69742cf372d41da6c56a3051745326055cd Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 14 Feb 2022 15:54:37 +0100
|
||||
Subject: [PATCH] Update RHEL-08-010385 to allow only one occurrence of config.
|
||||
|
||||
This configuration must appear at only one place so it doesn't get
|
||||
overriden by a different file that can loaded on a different order and
|
||||
the intended configuration is replaced by non-compliant value.
|
||||
---
|
||||
.../ansible/shared.yml | 36 ++++++++++++++++++
|
||||
.../bash/shared.sh | 38 +++++++++++++++++++
|
||||
.../oval/shared.xml | 4 +-
|
||||
.../sudo_require_reauthentication/rule.yml | 14 +------
|
||||
.../tests/multiple_correct_value.fail.sh | 10 +++++
|
||||
5 files changed, 87 insertions(+), 15 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..b0c67a69af9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
|
||||
@@ -0,0 +1,36 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}}
|
||||
+- name: "Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to be deduplicated"
|
||||
+ find:
|
||||
+ path: "/etc/sudoers.d"
|
||||
+ patterns: "*"
|
||||
+ contains: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
|
||||
+ register: sudoers_d_defaults_timestamp_timeout
|
||||
+
|
||||
+- name: "Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files"
|
||||
+ lineinfile:
|
||||
+ path: "{{ item.path }}"
|
||||
+ regexp: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
|
||||
+ state: absent
|
||||
+ with_items: "{{ sudoers_d_defaults_timestamp_timeout.files }}"
|
||||
+
|
||||
+- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers
|
||||
+ lineinfile:
|
||||
+ path: /etc/sudoers
|
||||
+ regexp: '^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$'
|
||||
+ line: 'Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2'
|
||||
+ validate: /usr/sbin/visudo -cf %s
|
||||
+ backrefs: yes
|
||||
+ register: edit_sudoers_timestamp_timeout_option
|
||||
+
|
||||
+- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers
|
||||
+ lineinfile: # noqa 503
|
||||
+ path: /etc/sudoers
|
||||
+ line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}'
|
||||
+ validate: /usr/sbin/visudo -cf %s
|
||||
+ when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..0b623ed4a49
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
|
||||
@@ -0,0 +1,38 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+
|
||||
+{{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}}
|
||||
+
|
||||
+if grep -x '^[\s]*Defaults.*\btimestamp_timeout=.*' /etc/sudoers.d/*; then
|
||||
+ find /etc/sudoers.d/ -type f -exec sed -i "/^[\s]*Defaults.*\btimestamp_timeout=.*/d" {} \;
|
||||
+fi
|
||||
+
|
||||
+if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||
+ cp /etc/sudoers /etc/sudoers.bak
|
||||
+ if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then
|
||||
+ # sudoers file doesn't define Option timestamp_timeout
|
||||
+ echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
|
||||
+ else
|
||||
+ # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
|
||||
+ if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then
|
||||
+
|
||||
+ sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
|
||||
+ fi
|
||||
+ fi
|
||||
+
|
||||
+ # Check validity of sudoers and cleanup bak
|
||||
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||
+ rm -f /etc/sudoers.bak
|
||||
+ else
|
||||
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
|
||||
+ mv /etc/sudoers.bak /etc/sudoers
|
||||
+ false
|
||||
+ fi
|
||||
+else
|
||||
+ echo "Skipping remediation, /etc/sudoers failed to validate"
|
||||
+ false
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
|
||||
index 8f404ca6065..dfc319b6f1f 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
|
||||
@@ -6,13 +6,13 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
|
||||
<ind:object object_ref="obj_sudo_timestamp_timeout"/>
|
||||
<ind:state state_ref="state_sudo_timestamp_timeout" />
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
<ind:textfilecontent54_object id="obj_sudo_timestamp_timeout" version="1">
|
||||
- <ind:filepath>/etc/sudoers</ind:filepath>
|
||||
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout=([-]?[\d]+)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
||||
index 42c6e28f9e6..eebb96678f1 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
||||
@@ -50,16 +50,4 @@ ocil: |-
|
||||
<pre>sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d</pre>
|
||||
The output should be:
|
||||
<pre>/etc/sudoers:Defaults timestamp_timeout=0</pre> or "timestamp_timeout" is set to a positive number.
|
||||
-
|
||||
-template:
|
||||
- name: sudo_defaults_option
|
||||
- vars:
|
||||
- option: timestamp_timeout
|
||||
- variable_name: "var_sudo_timestamp_timeout"
|
||||
- # optional minus char added so remediation can detect properly if item is already configured
|
||||
- option_regex_suffix: '=[-]?\w+\b'
|
||||
- backends:
|
||||
- # Template is not able to accomodate this particular check.
|
||||
- # It needs to check for an integer greater than or equal to zero
|
||||
- oval: "off"
|
||||
-
|
||||
+ If results are returned from more than one file location, this is a finding.
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..a258d6632b5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+
|
||||
+if grep -q 'timestamp_timeout' /etc/sudoers; then
|
||||
+ sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers
|
||||
+else
|
||||
+ echo "Defaults timestamp_timeout=3" >> /etc/sudoers
|
||||
+fi
|
||||
+
|
||||
+echo "Defaults timestamp_timeout=3" > /etc/sudoers.d/00-complianceascode-test.conf
|
@ -1,13 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
index e9d25a34fbd..13231dc2cc9 100644
|
||||
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
@@ -90,6 +90,7 @@ ocil: |-
|
||||
/dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
|
||||
" TYPE="crypto_LUKS"</pre>
|
||||
<br /><br />
|
||||
- Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding.
|
||||
+ The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
|
||||
+ are not required to use disk encryption and are not a finding.
|
||||
|
||||
platform: machine
|
@ -1,43 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
index 395129acb66..60b0ce0eb7d 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
@@ -30,7 +30,7 @@ references:
|
||||
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
|
||||
srg: SRG-OS-000250-GPOS-00093
|
||||
stigid@ol8: OL08-00-010020
|
||||
- stigid@rhel8: RHEL-08-010020
|
||||
+ stigid@rhel8: RHEL-08-010287
|
||||
|
||||
ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 04f158116ee..60eafa9c566 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -191,9 +191,7 @@ selections:
|
||||
# RHEL-08-010260
|
||||
- file_groupowner_var_log
|
||||
|
||||
- # *** SHARED *** #
|
||||
- # RHEL-08-010290 && RHEL-08-010291
|
||||
- # *** SHARED *** #
|
||||
+ # RHEL-08-010287
|
||||
- configure_ssh_crypto_policy
|
||||
|
||||
# RHEL-08-010290
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index 8f79b22e3e4..9bd1a2b0f51 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -192,9 +192,7 @@ selections:
|
||||
# RHEL-08-010260
|
||||
- file_groupowner_var_log
|
||||
|
||||
- # *** SHARED *** #
|
||||
- # RHEL-08-010290 && RHEL-08-010291
|
||||
- # *** SHARED *** #
|
||||
+ # RHEL-08-010287
|
||||
- configure_ssh_crypto_policy
|
||||
|
||||
# RHEL-08-010290
|
@ -1,146 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
||||
index 08ffd76aed6..399ca1ea3ce 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
||||
@@ -4,6 +4,26 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
-{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}}
|
||||
-{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}}
|
||||
-{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}}
|
||||
+{{%- macro delete_line_in_sudoers_d(line) %}}
|
||||
+- name: "Find out if /etc/sudoers.d/* files contain {{{ line }}} to be deduplicated"
|
||||
+ find:
|
||||
+ path: "/etc/sudoers.d"
|
||||
+ patterns: "*"
|
||||
+ contains: '^{{{ line }}}$'
|
||||
+ register: sudoers_d_defaults
|
||||
+
|
||||
+- name: "Remove found occurrences of {{{ line }}} from /etc/sudoers.d/* files"
|
||||
+ lineinfile:
|
||||
+ path: "{{ item.path }}"
|
||||
+ regexp: "^{{{ line }}}$"
|
||||
+ state: absent
|
||||
+ with_items: "{{ sudoers_d_defaults.files }}"
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
|
||||
+
|
||||
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
|
||||
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
|
||||
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
||||
index ea0ac67fa1c..3b327f3fc88 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
||||
@@ -1,5 +1,17 @@
|
||||
# platform = multi_platform_all
|
||||
|
||||
+{{%- macro delete_line_in_sudoers_d(line) %}}
|
||||
+if grep -x '^{{{line}}}$' /etc/sudoers.d/*; then
|
||||
+ find /etc/sudoers.d/ -type f -exec sed -i "/{{{line}}}/d" {} \;
|
||||
+fi
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
|
||||
+
|
||||
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
||||
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
||||
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
||||
+
|
||||
+
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
||||
index 646e6bfb7c0..b3fadd53bee 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
||||
@@ -8,17 +8,17 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
id="test_sudoers_targetpw_config" version="1">
|
||||
<ind:object object_ref="object_test_sudoers_targetpw_config" />
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
id="test_sudoers_rootpw_config" version="1">
|
||||
<ind:object object_ref="object_test_sudoers_rootpw_config" />
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
id="test_sudoers_runaspw_config" version="1">
|
||||
<ind:object object_ref="object_test_sudoers_runaspw_config" />
|
||||
</ind:textfilecontent54_test>
|
||||
@@ -26,19 +26,19 @@
|
||||
<ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
|
||||
- <ind:instance datatype="int">1</ind:instance>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
<ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
|
||||
- <ind:instance datatype="int">1</ind:instance>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
<ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
|
||||
- <ind:instance datatype="int">1</ind:instance>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
index ccc29b77d15..698021d8fd0 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
@@ -42,7 +42,8 @@ ocil_clause: 'invoke user passwd when using sudo'
|
||||
ocil: |-
|
||||
Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
|
||||
<pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
|
||||
- If no results are returned, this is a finding
|
||||
+ If no results are returned, this is a finding.
|
||||
+ If results are returned from more than one file location, this is a finding.
|
||||
If "Defaults !targetpw" is not defined, this is a finding.
|
||||
If "Defaults !rootpw" is not defined, this is a finding.
|
||||
If "Defaults !runaspw" is not defined, this is a finding.
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..a258d108a00
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
|
||||
+# packages = sudo
|
||||
+
|
||||
+echo 'Defaults !targetpw' >> /etc/sudoers
|
||||
+echo 'Defaults !rootpw' >> /etc/sudoers
|
||||
+echo 'Defaults !runaspw' >> /etc/sudoers
|
||||
+echo 'Defaults !targetpw' >> /etc/sudoers.d/00-complianceascode.conf
|
||||
+echo 'Defaults !rootpw' >> /etc/sudoers.d/00-complianceascode.conf
|
||||
+echo 'Defaults !runaspw' >> /etc/sudoers.d/00-complianceascode.conf
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..6247b5230e4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
|
||||
+# packages = sudo
|
||||
+
|
||||
+echo 'Defaults !targetpw' >> /etc/sudoers
|
||||
+echo 'Defaults !rootpw' >> /etc/sudoers
|
||||
+echo 'Defaults !runaspw' >> /etc/sudoers
|
||||
+echo 'Defaults !runaspw' >> /etc/sudoers
|
@ -1,300 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
|
||||
index 737d725872d..08b62057bde 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
|
||||
@@ -1,7 +1,11 @@
|
||||
# platform = multi_platform_all
|
||||
+# reboot = true
|
||||
+# strategy = enable
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
|
||||
if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
|
||||
- cat >> /etc/bashrc <<'EOF'
|
||||
+ cat >> /etc/profile.d/tmux.sh <<'EOF'
|
||||
if [ "$PS1" ]; then
|
||||
parent=$(ps -o ppid= -p $$)
|
||||
name=$(ps -o comm= -p $parent)
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
index 00ac349e292..4cb2f9e0e04 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
@@ -4,21 +4,27 @@
|
||||
<criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
|
||||
<criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
|
||||
test_ref="test_configure_bashrc_exec_tmux" />
|
||||
+ <criterion comment="check tmux is running" test_ref="test_tmux_running"/>
|
||||
</criteria>
|
||||
</definition>
|
||||
- <ind:textfilecontent54_test check="only one" check_existence="only_one_exists"
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
comment="check tmux is configured to exec on the last line of /etc/bashrc"
|
||||
id="test_configure_bashrc_exec_tmux" version="1">
|
||||
<ind:object object_ref="obj_configure_bashrc_exec_tmux" />
|
||||
- <ind:state state_ref="state_configure_bashrc_exec_tmux" />
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="obj_configure_bashrc_exec_tmux" version="1">
|
||||
<ind:behaviors singleline="true" multiline="false" />
|
||||
- <ind:filepath>/etc/bashrc</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
||||
- <ind:instance datatype="int">1</ind:instance>
|
||||
+ <ind:filepath operation="pattern match">^/etc/bashrc$|^/etc/profile\.d/.*$</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
- <ind:textfilecontent54_state id="state_configure_bashrc_exec_tmux" version="1">
|
||||
- <ind:subexpression datatype="string" operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:subexpression>
|
||||
- </ind:textfilecontent54_state>
|
||||
+
|
||||
+ <unix:process58_test check="all" id="test_tmux_running" comment="is tmux running" version="1">
|
||||
+ <unix:object object_ref="obj_tmux_running"/>
|
||||
+ </unix:process58_test>
|
||||
+
|
||||
+ <unix:process58_object id="obj_tmux_running" version="1">
|
||||
+ <unix:command_line operation="pattern match">^tmux(?:|[\s]+.*)$</unix:command_line>
|
||||
+ <unix:pid datatype="int" operation="greater than">0</unix:pid>
|
||||
+ </unix:process58_object>
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
index 3ba0f4a2d8f..7afc5fc5e6b 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
@@ -7,12 +7,20 @@ title: 'Support session locking with tmux'
|
||||
description: |-
|
||||
The <tt>tmux</tt> terminal multiplexer is used to implement
|
||||
automatic session locking. It should be started from
|
||||
- <tt>/etc/bashrc</tt>.
|
||||
+ <tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.
|
||||
+ Additionally it must be ensured that the <tt>tmux</tt> process is running
|
||||
+ and it can be verified with the following command:
|
||||
+ <pre>ps all | grep tmux | grep -v grep</pre>
|
||||
|
||||
rationale: |-
|
||||
Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer
|
||||
provides a mechanism to lock sessions after period of inactivity.
|
||||
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ The remediation does not start the tmux process, so it must be
|
||||
+ manually started or have the system rebooted after applying the fix.
|
||||
+
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
@@ -26,17 +34,21 @@ references:
|
||||
stigid@ol8: OL08-00-020041
|
||||
stigid@rhel8: RHEL-08-020041
|
||||
|
||||
-ocil_clause: 'exec tmux is not present at the end of bashrc'
|
||||
+ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running'
|
||||
|
||||
ocil: |-
|
||||
To verify that tmux is configured to execute,
|
||||
run the following command:
|
||||
- <pre>$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc</pre>
|
||||
+ <pre>$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc /etc/profile.d/*</pre>
|
||||
The output should return the following:
|
||||
<pre>if [ "$PS1" ]; then
|
||||
parent=$(ps -o ppid= -p $$)
|
||||
name=$(ps -o comm= -p $parent)
|
||||
case "$name" in sshd|login) exec tmux ;; esac
|
||||
fi</pre>
|
||||
+ To verify that the tmux process is running,
|
||||
+ run the following command:
|
||||
+ <pre>ps all | grep tmux | grep -v grep</pre>
|
||||
+ If the command does not produce output, this is a finding.
|
||||
|
||||
platform: machine
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..221c18665ef
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+# packages = tmux
|
||||
+
|
||||
+cat >> /etc/bashrc <<'EOF'
|
||||
+if [ "$PS1" ]; then
|
||||
+ parent=$(ps -o ppid= -p $$)
|
||||
+ name=$(ps -o comm= -p $parent)
|
||||
+ case "$name" in sshd|login) exec tmux ;; esac
|
||||
+fi
|
||||
+EOF
|
||||
+
|
||||
+tmux new-session -s root -d
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..1702bb17e79
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+# packages = tmux
|
||||
+
|
||||
+
|
||||
+cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
|
||||
+if [ "$PS1" ]; then
|
||||
+ parent=$(ps -o ppid= -p $$)
|
||||
+ name=$(ps -o comm= -p $parent)
|
||||
+ case "$name" in sshd|login) exec tmux ;; esac
|
||||
+fi
|
||||
+EOF
|
||||
+
|
||||
+tmux new-session -s root -d
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..16d4acfcb5a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
|
||||
@@ -0,0 +1,20 @@
|
||||
+#!/bin/bash
|
||||
+# packages = tmux
|
||||
+
|
||||
+cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
|
||||
+if [ "$PS1" ]; then
|
||||
+ parent=$(ps -o ppid= -p $$)
|
||||
+ name=$(ps -o comm= -p $parent)
|
||||
+ case "$name" in sshd|login) exec tmux ;; esac
|
||||
+fi
|
||||
+EOF
|
||||
+
|
||||
+cat >> /etc/bashrc <<'EOF'
|
||||
+if [ "$PS1" ]; then
|
||||
+ parent=$(ps -o ppid= -p $$)
|
||||
+ name=$(ps -o comm= -p $parent)
|
||||
+ case "$name" in sshd|login) exec tmux ;; esac
|
||||
+fi
|
||||
+EOF
|
||||
+
|
||||
+tmux new-session -s root -d
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..6cb9d83efc5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+# packages = tmux
|
||||
+# remediation = none
|
||||
+
|
||||
+cat >> /etc/bashrc <<'EOF'
|
||||
+if [ "$PS1" ]; then
|
||||
+ parent=$(ps -o ppid= -p $$)
|
||||
+ name=$(ps -o comm= -p $parent)
|
||||
+ case "$name" in sshd|login) exec tmux ;; esac
|
||||
+fi
|
||||
+EOF
|
||||
+
|
||||
+killall tmux || true
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..f13a8b038e4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,105 @@
|
||||
+#!/bin/bash
|
||||
+# packages = tmux
|
||||
+
|
||||
+cat > /etc/bashrc <<'EOF'
|
||||
+# /etc/bashrc
|
||||
+
|
||||
+# System wide functions and aliases
|
||||
+# Environment stuff goes in /etc/profile
|
||||
+
|
||||
+# It's NOT a good idea to change this file unless you know what you
|
||||
+# are doing. It's much better to create a custom.sh shell script in
|
||||
+# /etc/profile.d/ to make custom changes to your environment, as this
|
||||
+# will prevent the need for merging in future updates.
|
||||
+
|
||||
+# Prevent doublesourcing
|
||||
+if [ -z "$BASHRCSOURCED" ]; then
|
||||
+ BASHRCSOURCED="Y"
|
||||
+
|
||||
+ # are we an interactive shell?
|
||||
+ if [ "$PS1" ]; then
|
||||
+ if [ -z "$PROMPT_COMMAND" ]; then
|
||||
+ case $TERM in
|
||||
+ xterm*|vte*)
|
||||
+ if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
|
||||
+ PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
|
||||
+ elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then
|
||||
+ PROMPT_COMMAND="__vte_prompt_command"
|
||||
+ else
|
||||
+ PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
|
||||
+ fi
|
||||
+ ;;
|
||||
+ screen*)
|
||||
+ if [ -e /etc/sysconfig/bash-prompt-screen ]; then
|
||||
+ PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen
|
||||
+ else
|
||||
+ PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
|
||||
+ fi
|
||||
+ ;;
|
||||
+ *)
|
||||
+ [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
|
||||
+ ;;
|
||||
+ esac
|
||||
+ fi
|
||||
+ # Turn on parallel history
|
||||
+ shopt -s histappend
|
||||
+ history -a
|
||||
+ # Turn on checkwinsize
|
||||
+ shopt -s checkwinsize
|
||||
+ [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "
|
||||
+ # You might want to have e.g. tty in prompt (e.g. more virtual machines)
|
||||
+ # and console windows
|
||||
+ # If you want to do so, just add e.g.
|
||||
+ # if [ "$PS1" ]; then
|
||||
+ # PS1="[\u@\h:\l \W]\\$ "
|
||||
+ # fi
|
||||
+ # to your custom modification shell script in /etc/profile.d/ directory
|
||||
+ fi
|
||||
+
|
||||
+ if ! shopt -q login_shell ; then # We're not a login shell
|
||||
+ # Need to redefine pathmunge, it gets undefined at the end of /etc/profile
|
||||
+ pathmunge () {
|
||||
+ case ":${PATH}:" in
|
||||
+ *:"$1":*)
|
||||
+ ;;
|
||||
+ *)
|
||||
+ if [ "$2" = "after" ] ; then
|
||||
+ PATH=$PATH:$1
|
||||
+ else
|
||||
+ PATH=$1:$PATH
|
||||
+ fi
|
||||
+ esac
|
||||
+ }
|
||||
+
|
||||
+ # By default, we want umask to get set. This sets it for non-login shell.
|
||||
+ # Current threshold for system reserved uid/gids is 200
|
||||
+ # You could check uidgid reservation validity in
|
||||
+ # /usr/share/doc/setup-*/uidgid file
|
||||
+ if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
|
||||
+ umask 002
|
||||
+ else
|
||||
+ umask 022
|
||||
+ fi
|
||||
+
|
||||
+ SHELL=/bin/bash
|
||||
+ # Only display echos from profile.d scripts if we are no login shell
|
||||
+ # and interactive - otherwise just process them to set envvars
|
||||
+ for i in /etc/profile.d/*.sh; do
|
||||
+ if [ -r "$i" ]; then
|
||||
+ if [ "$PS1" ]; then
|
||||
+ . "$i"
|
||||
+ else
|
||||
+ . "$i" >/dev/null
|
||||
+ fi
|
||||
+ fi
|
||||
+ done
|
||||
+
|
||||
+ unset i
|
||||
+ unset -f pathmunge
|
||||
+ fi
|
||||
+
|
||||
+fi
|
||||
+# vim:ts=4:sw=4
|
||||
+EOF
|
||||
+
|
||||
+tmux new-session -s root -d
|
@ -1,209 +0,0 @@
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
|
||||
index 5b3afb324df..67d6836e873 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
|
||||
@@ -14,12 +14,3 @@
|
||||
- xorg-x11-server-Xwayland
|
||||
{{% endif %}}
|
||||
state: absent
|
||||
-
|
||||
-
|
||||
-- name: Switch to multi-user runlevel
|
||||
- file:
|
||||
- src: /usr/lib/systemd/system/multi-user.target
|
||||
- dest: /etc/systemd/system/default.target
|
||||
- state: link
|
||||
- force: yes
|
||||
-
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
|
||||
index dbabe572d2a..496dc74be7c 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
|
||||
@@ -12,6 +12,3 @@
|
||||
{{% if product not in ["rhel7", "ol7"] %}}
|
||||
{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
|
||||
{{% endif %}}
|
||||
-
|
||||
-# configure run level
|
||||
-systemctl set-default multi-user.target
|
||||
\ No newline at end of file
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
|
||||
index 0710efe9f1b..0868ec6eae7 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
|
||||
@@ -2,10 +2,6 @@
|
||||
<definition class="compliance" id="xwindows_remove_packages" version="1">
|
||||
{{{ oval_metadata("Ensure that the default runlevel target is set to multi-user.target.") }}}
|
||||
<criteria>
|
||||
- {{%- if init_system == "systemd" and target_oval_version != [5, 10] %}}
|
||||
- <extend_definition comment="system is configured to boot into multi-user.target"
|
||||
- definition_ref="xwindows_runlevel_target" />
|
||||
- {{%- endif %}}
|
||||
<criterion comment="package xorg-x11-server-Xorg is not installed"
|
||||
test_ref="package_xorg-x11-server-Xorg_removed" />
|
||||
<extend_definition comment="package xorg-x11-server-common is removed"
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
index 10e51577a12..6ceb07bd574 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
@@ -19,14 +19,6 @@ description: |-
|
||||
{{% else %}}
|
||||
<pre>sudo {{{ pkg_manager }}} remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland</pre>
|
||||
{{% endif %}}
|
||||
- Additionally, setting the system's default target to
|
||||
- <tt>multi-user.target</tt> will prevent automatic startup of the X server.
|
||||
- To do so, run:
|
||||
- <pre>$ systemctl set-default multi-user.target</pre>
|
||||
- You should see the following output:
|
||||
- <pre>Removed symlink /etc/systemd/system/default.target.
|
||||
- Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.</pre>
|
||||
-
|
||||
|
||||
rationale: |-
|
||||
Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
|
||||
@@ -72,6 +64,8 @@ warnings:
|
||||
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
|
||||
overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
|
||||
which might bring your system to an inconsistent state requiring additional configuration to access the system
|
||||
- again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before
|
||||
+ again.
|
||||
+ The rule <tt>xwindows_runlevel_target</tt> can be used to configure the system to boot into the multi-user.target.
|
||||
+ If a GUI is an operational requirement, a tailored profile that removes this rule should be used before
|
||||
continuing installation.
|
||||
{{{ ovirt_rule_notapplicable_warning("X11 graphic libraries are dependency of OpenStack Cinderlib storage provider") | indent(4) }}}
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh
|
||||
deleted file mode 100644
|
||||
index 9bf62a42d28..00000000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-
|
||||
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
|
||||
-
|
||||
-systemctl set-default multi-user.target
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh
|
||||
deleted file mode 100644
|
||||
index 4eeb6971486..00000000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-
|
||||
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
|
||||
-
|
||||
-ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..b3908cff002
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+{{{ bash_package_install("xorg-x11-server-Xorg") }}}
|
||||
+{{{ bash_package_install("xorg-x11-server-utils") }}}
|
||||
+{{{ bash_package_install("xorg-x11-server-common") }}}
|
||||
+{{% if product not in ["rhel7", "ol7"] %}}
|
||||
+{{{ bash_package_install("xorg-x11-server-Xwayland") }}}
|
||||
+{{% endif %}}
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..abafdbd624a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh
|
||||
@@ -0,0 +1,16 @@
|
||||
+#!/bin/bash
|
||||
+# based on shared/templates/package_removed/tests/package-installed-removed.pass.sh
|
||||
+
|
||||
+{{{ bash_package_install("xorg-x11-server-Xorg") }}}
|
||||
+{{{ bash_package_install("xorg-x11-server-utils") }}}
|
||||
+{{{ bash_package_install("xorg-x11-server-common") }}}
|
||||
+{{% if product not in ["rhel7", "ol7"] %}}
|
||||
+{{{ bash_package_install("xorg-x11-server-Xwayland") }}}
|
||||
+{{% endif %}}
|
||||
+
|
||||
+{{{ bash_package_remove("xorg-x11-server-Xorg") }}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-utils") }}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-common") }}}
|
||||
+{{% if product not in ["rhel7", "ol7"] %}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
|
||||
+{{% endif %}}
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..a403e108082
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+{{{ bash_package_remove("xorg-x11-server-Xorg") }}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-utils") }}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-common") }}}
|
||||
+{{% if product not in ["rhel7", "ol7"] %}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
|
||||
+{{% endif %}}
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh
|
||||
deleted file mode 100644
|
||||
index ff7d0efda29..00000000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,4 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 7
|
||||
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils
|
||||
-
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh
|
||||
deleted file mode 100644
|
||||
index d8ecd8c7361..00000000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 7
|
||||
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils
|
||||
-
|
||||
-systemctl set-default graphical.target
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh
|
||||
deleted file mode 100644
|
||||
index 14f1a97bc4f..00000000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,4 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils,xorg-x11-server-Xwayland
|
||||
-
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh
|
||||
deleted file mode 100644
|
||||
index c678ef711d9..00000000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils,xorg-x11-server-Xwayland
|
||||
-
|
||||
-systemctl set-default graphical.target
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh
|
||||
deleted file mode 100644
|
||||
index bf8a615b1dc..00000000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-
|
||||
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
|
||||
-
|
||||
-systemctl set-default graphical.target
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh
|
||||
deleted file mode 100644
|
||||
index 652088b85ae..00000000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-
|
||||
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
|
||||
-
|
||||
-ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target
|
File diff suppressed because one or more lines are too long
@ -1,685 +0,0 @@
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
||||
index dac47a1c6d1..3a6167a5717 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
||||
@@ -39,7 +39,7 @@ references:
|
||||
nist: CM-5(6),CM-5(6).1
|
||||
srg: SRG-OS-000259-GPOS-00100
|
||||
stigid@ol8: OL08-00-010350
|
||||
- stigid@rhel8: RHEL-08-010350
|
||||
+ stigid@rhel8: RHEL-08-010351
|
||||
stigid@sle12: SLES-12-010876
|
||||
stigid@sle15: SLES-15-010356
|
||||
stigid@ubuntu2004: UBTU-20-010431
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
index 50fdb17bd2e..6a05a2b82ea 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
|
||||
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..6a05a2b82ea
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
|
||||
+
|
||||
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
+for dirPath in $DIRS; do
|
||||
+ find "$dirPath" -type d -exec chgrp root '{}' \;
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..36461f5e5c3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
|
||||
+
|
||||
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
+for dirPath in $DIRS; do
|
||||
+ mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme"
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..3f09e3dd018
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
|
||||
+
|
||||
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
+for dirPath in $DIRS; do
|
||||
+ mkdir -p "$dirPath/testme/test2" && chgrp nobody "$dirPath/testme/test2"
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
||||
index 043ad6b2dee..36461f5e5c3 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
|
||||
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
||||
index e2362388678..ba923d8ac55 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
||||
@@ -27,7 +27,7 @@ references:
|
||||
srg: SRG-OS-000258-GPOS-00099
|
||||
stigid@ubuntu2004: UBTU-20-010424
|
||||
|
||||
-ocil_clause: 'any system exectables directories are found to not be owned by root'
|
||||
+ocil_clause: 'any system executables directories are found to not be owned by root'
|
||||
|
||||
ocil: |-
|
||||
System executables are stored in the following directories by default:
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml
|
||||
deleted file mode 100644
|
||||
index 28e193f827c..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml
|
||||
+++ /dev/null
|
||||
@@ -1,28 +0,0 @@
|
||||
-<def-group>
|
||||
- <definition class="compliance" id="dir_ownership_library_dirs" version="1">
|
||||
- {{{ oval_metadata("
|
||||
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
|
||||
- directories therein, are owned by root.
|
||||
- ") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion test_ref="test_dir_ownership_lib_dir" />
|
||||
- </criteria>
|
||||
- </definition>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="test_dir_ownership_lib_dir" version="1">
|
||||
- <unix:object object_ref="object_dir_ownership_lib_dir" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
-
|
||||
- <unix:file_object comment="library directories" id="object_dir_ownership_lib_dir" version="1">
|
||||
- <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
|
||||
- <unix:filename xsi:nil="true" />
|
||||
- <filter action="include">state_owner_library_dirs_not_root</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_state id="state_owner_library_dirs_not_root" version="1">
|
||||
- <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
|
||||
- </unix:file_state>
|
||||
-
|
||||
-</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
|
||||
index d6a0beddf6e..f0781b307b3 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
|
||||
@@ -27,6 +27,8 @@ rationale: |-
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
+ cce@rhel8: CCE-89021-0
|
||||
+ cce@rhel9: CCE-89022-8
|
||||
cce@sle12: CCE-83236-0
|
||||
cce@sle15: CCE-85735-9
|
||||
|
||||
@@ -34,6 +36,7 @@ references:
|
||||
disa: CCI-001499
|
||||
nist: CM-5(6),CM-5(6).1
|
||||
srg: SRG-OS-000259-GPOS-00100
|
||||
+ stigid@rhel8: RHEL-08-010341
|
||||
stigid@sle12: SLES-12-010874
|
||||
stigid@sle15: SLES-15-010354
|
||||
stigid@ubuntu2004: UBTU-20-010429
|
||||
@@ -49,3 +52,14 @@ ocil: |-
|
||||
For each of these directories, run the following command to find files not
|
||||
owned by root:
|
||||
<pre>$ sudo find -L <i>$DIR</i> ! -user root -type d -exec chown root {} \;</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /lib/
|
||||
+ - /lib64/
|
||||
+ - /usr/lib/
|
||||
+ - /usr/lib64/
|
||||
+ recursive: 'true'
|
||||
+ fileuid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
|
||||
similarity index 69%
|
||||
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
|
||||
index 01891664f64..a0d4990582e 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_rhel
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
find "$dirPath" -type d -exec chown root '{}' \;
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
|
||||
similarity index 63%
|
||||
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh
|
||||
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
|
||||
index 59b8a1867eb..f366c2d7922 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_rhel
|
||||
+groupadd nogroup
|
||||
DIRS="/lib /lib64"
|
||||
for dirPath in $DIRS; do
|
||||
mkdir -p "$dirPath/testme" && chown nobody:nogroup "$dirPath/testme"
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
|
||||
index a0e4e24b4f4..add26b2e778 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
|
||||
@@ -1,8 +1,8 @@
|
||||
<def-group>
|
||||
<definition class="compliance" id="dir_permissions_library_dirs" version="1">
|
||||
{{{ oval_metadata("
|
||||
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
|
||||
- objects therein, are not group-writable or world-writable.
|
||||
+ Checks that the directories /lib, /lib64, /usr/lib and /usr/lib64
|
||||
+ are not group-writable or world-writable.
|
||||
") }}}
|
||||
<criteria operator="AND">
|
||||
<criterion test_ref="dir_test_perms_lib_dir" />
|
||||
@@ -19,7 +19,7 @@
|
||||
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
|
||||
<unix:filename xsi:nil="true" />
|
||||
<filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter>
|
||||
- <filter action="exclude">dir_perms_state_symlink</filter>
|
||||
+ <filter action="exclude">dir_perms_state_nogroupwrite_noworldwrite_symlink</filter>
|
||||
</unix:file_object>
|
||||
|
||||
<unix:file_state id="dir_state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
|
||||
@@ -27,7 +27,7 @@
|
||||
<unix:owrite datatype="boolean">true</unix:owrite>
|
||||
</unix:file_state>
|
||||
|
||||
- <unix:file_state id="dir_perms_state_symlink" version="1">
|
||||
+ <unix:file_state id="dir_perms_state_nogroupwrite_noworldwrite_symlink" version="1">
|
||||
<unix:type operation="equals">symbolic link</unix:type>
|
||||
</unix:file_state>
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
index db89a5e47a1..6e62e8c6bbf 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
@@ -60,3 +60,14 @@ ocil: |-
|
||||
To find shared libraries that are group-writable or world-writable,
|
||||
run the following command for each directory <i>DIR</i> which contains shared libraries:
|
||||
<pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /lib/
|
||||
+ - /lib64/
|
||||
+ - /usr/lib/
|
||||
+ - /usr/lib64/
|
||||
+ recursive: 'true'
|
||||
+ filemode: '0755'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
|
||||
index 6b3a2905068..eec7485f90c 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = medium
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
index a9e8c7d8e25..e352dd34a67 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
|
||||
do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml
|
||||
deleted file mode 100644
|
||||
index de81a3703b4..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml
|
||||
+++ /dev/null
|
||||
@@ -1,18 +0,0 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
|
||||
-# reboot = false
|
||||
-# strategy = restrict
|
||||
-# complexity = medium
|
||||
-# disruption = medium
|
||||
-- name: "Read list libraries without root ownership"
|
||||
- command: "find -L /usr/lib /usr/lib64 /lib /lib64 \\! -user root"
|
||||
- register: libraries_not_owned_by_root
|
||||
- changed_when: False
|
||||
- failed_when: False
|
||||
- check_mode: no
|
||||
-
|
||||
-- name: "Set ownership of system libraries to root"
|
||||
- file:
|
||||
- path: "{{ item }}"
|
||||
- owner: "root"
|
||||
- with_items: "{{ libraries_not_owned_by_root.stdout_lines }}"
|
||||
- when: libraries_not_owned_by_root | length > 0
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh
|
||||
deleted file mode 100644
|
||||
index c75167d2fe7..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh
|
||||
+++ /dev/null
|
||||
@@ -1,8 +0,0 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
|
||||
-for LIBDIR in /usr/lib /usr/lib64 /lib /lib64
|
||||
-do
|
||||
- if [ -d $LIBDIR ]
|
||||
- then
|
||||
- find -L $LIBDIR \! -user root -exec chown root {} \;
|
||||
- fi
|
||||
-done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
|
||||
deleted file mode 100644
|
||||
index 59ee3d82a21..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
|
||||
+++ /dev/null
|
||||
@@ -1,39 +0,0 @@
|
||||
-<def-group>
|
||||
- <definition class="compliance" id="file_ownership_library_dirs" version="1">
|
||||
- {{{ oval_metadata("
|
||||
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
|
||||
- objects therein, are owned by root.
|
||||
- ") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion test_ref="test_ownership_lib_dir" />
|
||||
- <criterion test_ref="test_ownership_lib_files" />
|
||||
- </criteria>
|
||||
- </definition>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="test_ownership_lib_dir" version="1">
|
||||
- <unix:object object_ref="object_file_ownership_lib_dir" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="library files uid root" id="test_ownership_lib_files" version="1">
|
||||
- <unix:object object_ref="object_file_ownership_lib_files" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_object comment="library directories" id="object_file_ownership_lib_dir" version="1">
|
||||
- <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
|
||||
- <unix:filename xsi:nil="true" />
|
||||
- <filter action="include">state_owner_libraries_not_root</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_object comment="library files" id="object_file_ownership_lib_files" version="1">
|
||||
- <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
|
||||
- <unix:filename operation="pattern match">^.*$</unix:filename>
|
||||
- <filter action="include">state_owner_libraries_not_root</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_state id="state_owner_libraries_not_root" version="1">
|
||||
- <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
|
||||
- </unix:file_state>
|
||||
-
|
||||
-</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
|
||||
index d80681c1e65..b6bc18e8310 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
|
||||
@@ -60,3 +60,14 @@ ocil: |-
|
||||
For each of these directories, run the following command to find files not
|
||||
owned by root:
|
||||
<pre>$ sudo find -L <i>$DIR</i> ! -user root -exec chown root {} \;</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /lib/
|
||||
+ - /lib64/
|
||||
+ - /usr/lib/
|
||||
+ - /usr/lib64/
|
||||
+ file_regex: ^.*$
|
||||
+ fileuid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..92c6a0889d4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
|
||||
+
|
||||
+for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
|
||||
+do
|
||||
+ if [[ -d $SYSLIBDIRS ]]
|
||||
+ then
|
||||
+ find $SYSLIBDIRS ! -user root -type f -exec chown root '{}' \;
|
||||
+ fi
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..84da71f45f7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
|
||||
+
|
||||
+useradd user_test
|
||||
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
|
||||
+do
|
||||
+ if [[ ! -f $TESTFILE ]]
|
||||
+ then
|
||||
+ touch $TESTFILE
|
||||
+ fi
|
||||
+ chown user_test $TESTFILE
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml
|
||||
deleted file mode 100644
|
||||
index cf9eebace8b..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml
|
||||
+++ /dev/null
|
||||
@@ -1,18 +0,0 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
|
||||
-# reboot = false
|
||||
-# strategy = restrict
|
||||
-# complexity = high
|
||||
-# disruption = medium
|
||||
-- name: "Read list of world and group writable files in libraries directories"
|
||||
- command: "find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f"
|
||||
- register: world_writable_library_files
|
||||
- changed_when: False
|
||||
- failed_when: False
|
||||
- check_mode: no
|
||||
-
|
||||
-- name: "Disable world/group writability to library files"
|
||||
- file:
|
||||
- path: "{{ item }}"
|
||||
- mode: "go-w"
|
||||
- with_items: "{{ world_writable_library_files.stdout_lines }}"
|
||||
- when: world_writable_library_files.stdout_lines | length > 0
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh
|
||||
deleted file mode 100644
|
||||
index af04ad625d3..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-# platform = multi_platform_all
|
||||
-DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
-for dirPath in $DIRS; do
|
||||
- find "$dirPath" -perm /022 -type f -exec chmod go-w '{}' \;
|
||||
-done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
|
||||
deleted file mode 100644
|
||||
index f25c52260c4..00000000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
|
||||
+++ /dev/null
|
||||
@@ -1,46 +0,0 @@
|
||||
-<def-group>
|
||||
- <definition class="compliance" id="file_permissions_library_dirs" version="1">
|
||||
- {{{ oval_metadata("
|
||||
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
|
||||
- objects therein, are not group-writable or world-writable.
|
||||
- ") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion test_ref="test_perms_lib_dir" />
|
||||
- <criterion test_ref="test_perms_lib_files" />
|
||||
- </criteria>
|
||||
- </definition>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="test_perms_lib_dir" version="1">
|
||||
- <unix:object object_ref="object_file_permissions_lib_dir" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="test_perms_lib_files" version="1">
|
||||
- <unix:object object_ref="object_file_permissions_lib_files" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_object comment="library directories" id="object_file_permissions_lib_dir" version="1">
|
||||
- <!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
|
||||
- <unix:filename xsi:nil="true" />
|
||||
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
|
||||
- <filter action="exclude">perms_state_symlink</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_object comment="library files" id="object_file_permissions_lib_files" version="1">
|
||||
- <!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
|
||||
- <unix:filename operation="pattern match">^.*$</unix:filename>
|
||||
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
|
||||
- <filter action="exclude">perms_state_symlink</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
|
||||
- <unix:gwrite datatype="boolean">true</unix:gwrite>
|
||||
- <unix:owrite datatype="boolean">true</unix:owrite>
|
||||
- </unix:file_state>
|
||||
-
|
||||
- <unix:file_state id="perms_state_symlink" version="1">
|
||||
- <unix:type operation="equals">symbolic link</unix:type>
|
||||
- </unix:file_state>
|
||||
-
|
||||
-</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
|
||||
index 9a07e76929e..5a708cf78c3 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
|
||||
@@ -61,3 +61,14 @@ ocil: |-
|
||||
To find shared libraries that are group-writable or world-writable,
|
||||
run the following command for each directory <i>DIR</i> which contains shared libraries:
|
||||
<pre>$ sudo find -L <i>DIR</i> -perm /022 -type f</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /lib/
|
||||
+ - /lib64/
|
||||
+ - /usr/lib/
|
||||
+ - /usr/lib64/
|
||||
+ file_regex: ^.*$
|
||||
+ filemode: '0755'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
|
||||
similarity index 100%
|
||||
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
|
||||
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
index eaf04c8d36c..ec135b5279c 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
@@ -4,7 +4,7 @@ prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
|
||||
|
||||
title: |-
|
||||
Verify the system-wide library files in directories
|
||||
- "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are owned by root.
|
||||
+ "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
|
||||
|
||||
description: |-
|
||||
System-wide library files are stored in the following directories
|
||||
@@ -15,7 +15,7 @@ description: |-
|
||||
/usr/lib64
|
||||
</pre>
|
||||
All system-wide shared library files should be protected from unauthorised
|
||||
- access. If any of these files is not owned by root, correct its owner with
|
||||
+ access. If any of these files is not group-owned by root, correct its group-owner with
|
||||
the following command:
|
||||
<pre>$ sudo chgrp root <i>FILE</i></pre>
|
||||
|
||||
@@ -48,7 +48,7 @@ references:
|
||||
stigid@sle15: SLES-15-010355
|
||||
stigid@ubuntu2004: UBTU-20-01430
|
||||
|
||||
-ocil_clause: 'system wide library files are not group owned by root'
|
||||
+ocil_clause: 'system wide library files are not group-owned by root'
|
||||
|
||||
ocil: |-
|
||||
System-wide library files are stored in the following directories:
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
||||
index 0e982c3b8ca..5356d3742d3 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
|
||||
do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
||||
index 23a7703f57d..7352b60aa4b 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
groupadd group_test
|
||||
for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index ff23f83cfbf..88b3a7e3783 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -235,8 +235,13 @@ selections:
|
||||
# RHEL-08-010340
|
||||
- file_ownership_library_dirs
|
||||
|
||||
+ # RHEL-08-010341
|
||||
+ - dir_ownership_library_dirs
|
||||
+
|
||||
# RHEL-08-010350
|
||||
- root_permissions_syslibrary_files
|
||||
+
|
||||
+ # RHEL-08-010351
|
||||
- dir_group_ownership_library_dirs
|
||||
|
||||
# RHEL-08-010360
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index 8cc6d132591..65465be2c07 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -236,8 +236,13 @@ selections:
|
||||
# RHEL-08-010340
|
||||
- file_ownership_library_dirs
|
||||
|
||||
+ # RHEL-08-010341
|
||||
+ - dir_ownership_library_dirs
|
||||
+
|
||||
# RHEL-08-010350
|
||||
- root_permissions_syslibrary_files
|
||||
+
|
||||
+ # RHEL-08-010351
|
||||
- dir_group_ownership_library_dirs
|
||||
|
||||
# RHEL-08-010360
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 8aad24b20f7..eb3f17f4f3d 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -2957,8 +2957,6 @@ CCE-89017-8
|
||||
CCE-89018-6
|
||||
CCE-89019-4
|
||||
CCE-89020-2
|
||||
-CCE-89021-0
|
||||
-CCE-89022-8
|
||||
CCE-89023-6
|
||||
CCE-89024-4
|
||||
CCE-89025-1
|
||||
diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template
|
||||
index 68fc2e1e17e..0b4ab594155 100644
|
||||
--- a/shared/templates/file_groupowner/ansible.template
|
||||
+++ b/shared/templates/file_groupowner/ansible.template
|
||||
@@ -12,6 +12,7 @@
|
||||
paths: "{{{ path }}}"
|
||||
patterns: {{{ FILE_REGEX[loop.index0] }}}
|
||||
use_regex: yes
|
||||
+ hidden: yes
|
||||
register: files_found
|
||||
|
||||
- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
|
||||
diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template
|
||||
index fd2e5db5d93..64a494471a8 100644
|
||||
--- a/shared/templates/file_groupowner/oval.template
|
||||
+++ b/shared/templates/file_groupowner/oval.template
|
||||
@@ -45,6 +45,10 @@
|
||||
{{%- else %}}
|
||||
<unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
|
||||
{{%- endif %}}
|
||||
+ <filter action="exclude">symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}</filter>
|
||||
</unix:file_object>
|
||||
{{% endfor %}}
|
||||
+ <unix:file_state id="symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}" version="1">
|
||||
+ <unix:type operation="equals">symbolic link</unix:type>
|
||||
+ </unix:file_state>
|
||||
</def-group>
|
||||
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
|
||||
index 590c9fc6055..dba9e65a277 100644
|
||||
--- a/shared/templates/file_owner/ansible.template
|
||||
+++ b/shared/templates/file_owner/ansible.template
|
||||
@@ -12,6 +12,7 @@
|
||||
paths: "{{{ path }}}"
|
||||
patterns: {{{ FILE_REGEX[loop.index0] }}}
|
||||
use_regex: yes
|
||||
+ hidden: yes
|
||||
register: files_found
|
||||
|
||||
- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
|
||||
diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template
|
||||
index 105e29c81c8..777831d790d 100644
|
||||
--- a/shared/templates/file_owner/oval.template
|
||||
+++ b/shared/templates/file_owner/oval.template
|
||||
@@ -44,6 +44,10 @@
|
||||
{{%- else %}}
|
||||
<unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
|
||||
{{%- endif %}}
|
||||
+ <filter action="exclude">symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}</filter>
|
||||
</unix:file_object>
|
||||
{{% endfor %}}
|
||||
+ <unix:file_state id="symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}" version="1">
|
||||
+ <unix:type operation="equals">symbolic link</unix:type>
|
||||
+ </unix:file_state>
|
||||
</def-group>
|
||||
diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template
|
||||
index fc211bdc4c3..6d4dedcee51 100644
|
||||
--- a/shared/templates/file_permissions/ansible.template
|
||||
+++ b/shared/templates/file_permissions/ansible.template
|
||||
@@ -12,6 +12,7 @@
|
||||
paths: "{{{ path }}}"
|
||||
patterns: {{{ FILE_REGEX[loop.index0] }}}
|
||||
use_regex: yes
|
||||
+ hidden: yes
|
||||
register: files_found
|
||||
|
||||
- name: Set permissions for {{{ path }}} file(s)
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index b5621425b96..c5a9b6a32ad 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -181,6 +181,7 @@ selections:
|
||||
- dconf_gnome_screensaver_idle_delay
|
||||
- dconf_gnome_screensaver_lock_enabled
|
||||
- dir_group_ownership_library_dirs
|
||||
+- dir_ownership_library_dirs
|
||||
- dir_permissions_library_dirs
|
||||
- dir_perms_world_writable_root_owned
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 31221ed632c..32d195e28aa 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -192,6 +192,7 @@ selections:
|
||||
- dconf_gnome_screensaver_idle_delay
|
||||
- dconf_gnome_screensaver_lock_enabled
|
||||
- dir_group_ownership_library_dirs
|
||||
+- dir_ownership_library_dirs
|
||||
- dir_permissions_library_dirs
|
||||
- dir_perms_world_writable_root_owned
|
||||
- dir_perms_world_writable_sticky_bits
|
@ -1,161 +0,0 @@
|
||||
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
|
||||
index 65bc439225e..fef4679be39 100644
|
||||
--- a/docs/templates/template_reference.md
|
||||
+++ b/docs/templates/template_reference.md
|
||||
@@ -2,17 +2,20 @@
|
||||
|
||||
#### accounts_password
|
||||
- Checks if PAM enforces password quality requirements. Checks the
|
||||
- configuration in `/etc/pam.d/system-auth` (for RHEL 6 systems) or
|
||||
- `/etc/security/pwquality.conf` (on other systems).
|
||||
+ configuration in `/etc/security/pwquality.conf`.
|
||||
|
||||
- Parameters:
|
||||
|
||||
- - **variable** - PAM `pam_cracklib` (on RHEL 6) or `pam_pwquality`
|
||||
- (on other systems) module name, eg. `ucredit`, `ocredit`
|
||||
+ - **variable** - PAM `pam_pwquality` password quality
|
||||
+ requirement, eg. `ucredit`, `ocredit`
|
||||
|
||||
- **operation** - OVAL operation, eg. `less than or equal`
|
||||
|
||||
-- Languages: OVAL
|
||||
+ - **zero_comparison_operation** - (optional) OVAL operation, eg. `greater than`.
|
||||
+ When set, it will test if the **variable** value matches the OVAL operation
|
||||
+ when compared to zero.
|
||||
+
|
||||
+- Languages: Ansible, Bash, OVAL
|
||||
|
||||
#### auditd_lineinfile
|
||||
- Checks configuration options of the Audit Daemon in
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
||||
index 912c783650a..9a829ac5119 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
||||
@@ -47,7 +47,7 @@ ocil_clause: 'that is not the case'
|
||||
ocil: |-
|
||||
To check the value for maximum consecutive repeating characters, run the following command:
|
||||
<pre>$ grep maxclassrepeat /etc/security/pwquality.conf</pre>
|
||||
- For DoD systems, the output should show <tt>maxclassrepeat</tt>=4.
|
||||
+ For DoD systems, the output should show <tt>maxclassrepeat</tt>=4 or less but greater than zero.
|
||||
|
||||
platform: pam
|
||||
|
||||
@@ -56,3 +56,4 @@ template:
|
||||
vars:
|
||||
variable: maxclassrepeat
|
||||
operation: less than or equal
|
||||
+ zero_comparison_operation: greater than
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..5d91559d4a2
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
||||
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 4/' /etc/security/pwquality.conf
|
||||
+else
|
||||
+ echo "maxclassrepeat = 4" >> /etc/security/pwquality.conf
|
||||
+fi
|
||||
+
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..4bd8070eb7e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
||||
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 2/' /etc/security/pwquality.conf
|
||||
+else
|
||||
+ echo "maxclassrepeat = 2" >> /etc/security/pwquality.conf
|
||||
+fi
|
||||
+
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..61538a4945f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
||||
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = -1/' /etc/security/pwquality.conf
|
||||
+else
|
||||
+ echo "maxclassrepeat = -1" >> /etc/security/pwquality.conf
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..2218250ec7b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
||||
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 5/' /etc/security/pwquality.conf
|
||||
+else
|
||||
+ echo "maxclassrepeat = 5" >> /etc/security/pwquality.conf
|
||||
+fi
|
||||
+
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..780873c6a86
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
||||
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 0/' /etc/security/pwquality.conf
|
||||
+else
|
||||
+ echo "maxclassrepeat = 0" >> /etc/security/pwquality.conf
|
||||
+fi
|
||||
+
|
||||
diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template
|
||||
index 332a2800317..b995db11ea4 100644
|
||||
--- a/shared/templates/accounts_password/oval.template
|
||||
+++ b/shared/templates/accounts_password/oval.template
|
||||
@@ -7,11 +7,14 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- <ind:textfilecontent54_test check="all"
|
||||
+ <ind:textfilecontent54_test check="all" state_operator="AND"
|
||||
comment="check the configuration of /etc/security/pwquality.conf"
|
||||
id="test_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
|
||||
<ind:object object_ref="obj_password_pam_pwquality_{{{ VARIABLE }}}" />
|
||||
<ind:state state_ref="state_password_pam_{{{ VARIABLE }}}" />
|
||||
+ {{%- if ZERO_COMPARISON_OPERATION %}}
|
||||
+ <ind:state state_ref="state_password_pam_{{{ VARIABLE }}}_zero_comparison" />
|
||||
+ {{%- endif %}}
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
<ind:textfilecontent54_object id="obj_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
|
||||
@@ -24,5 +27,11 @@
|
||||
<ind:subexpression datatype="int" operation="{{{ OPERATION }}}" var_ref="var_password_pam_{{{ VARIABLE }}}" />
|
||||
</ind:textfilecontent54_state>
|
||||
|
||||
+ {{%- if ZERO_COMPARISON_OPERATION %}}
|
||||
+ <ind:textfilecontent54_state id="state_password_pam_{{{ VARIABLE }}}_zero_comparison" version="1">
|
||||
+ <ind:subexpression datatype="int" operation="{{{ ZERO_COMPARISON_OPERATION }}}" >0</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+ {{%- endif %}}
|
||||
+
|
||||
<external_variable comment="External variable for pam_{{{ VARIABLE }}}" datatype="int" id="var_password_pam_{{{ VARIABLE }}}" version="3" />
|
||||
</def-group>
|
||||
diff --git a/shared/templates/accounts_password/template.py b/shared/templates/accounts_password/template.py
|
||||
index 65c25ec7991..ab849d1fa72 100644
|
||||
--- a/shared/templates/accounts_password/template.py
|
||||
+++ b/shared/templates/accounts_password/template.py
|
||||
@@ -1,4 +1,7 @@
|
||||
+from ssg.utils import parse_template_boolean_value
|
||||
+
|
||||
def preprocess(data, lang):
|
||||
if lang == "oval":
|
||||
data["sign"] = "-?" if data["variable"].endswith("credit") else ""
|
||||
+ data["zero_comparison_operation"] = data.get("zero_comparison_operation", None)
|
||||
return data
|
@ -0,0 +1,227 @@
|
||||
From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Thu, 21 Jul 2022 16:42:41 +0200
|
||||
Subject: [PATCH 1/3] Add platforms for partition existence
|
||||
|
||||
---
|
||||
shared/applicability/general.yml | 14 +++++++++++++
|
||||
.../checks/oval/installed_env_mounts_tmp.xml | 10 +++++++++
|
||||
.../oval/installed_env_mounts_var_tmp.xml | 10 +++++++++
|
||||
shared/macros/10-ansible.jinja | 5 +++++
|
||||
shared/macros/10-bash.jinja | 5 +++++
|
||||
shared/macros/10-oval.jinja | 21 +++++++++++++++++++
|
||||
6 files changed, 65 insertions(+)
|
||||
create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
|
||||
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
|
||||
index 2d23d753148..e2f5d04ce00 100644
|
||||
--- a/shared/applicability/general.yml
|
||||
+++ b/shared/applicability/general.yml
|
||||
@@ -77,6 +77,20 @@ cpes:
|
||||
bash_conditional: {{{ bash_pkg_conditional("pam") }}}
|
||||
ansible_conditional: {{{ ansible_pkg_conditional("pam") }}}
|
||||
|
||||
+ - partition-var-tmp:
|
||||
+ name: "cpe:/a:partition-var-tmp"
|
||||
+ title: "There is a /var/tmp partition"
|
||||
+ check_id: installed_env_mounts_var_tmp
|
||||
+ bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}}
|
||||
+ ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}}
|
||||
+
|
||||
+ - partition-tmp:
|
||||
+ name: "cpe:/a:partition-tmp"
|
||||
+ title: "There is a /tmp partition"
|
||||
+ check_id: installed_env_mounts_tmp
|
||||
+ bash_conditional: {{{ bash_partition_conditional("/tmp") }}}
|
||||
+ ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}}
|
||||
+
|
||||
- polkit:
|
||||
name: "cpe:/a:polkit"
|
||||
title: "Package polkit is installed"
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
new file mode 100644
|
||||
index 00000000000..c1bcd6b2431
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
@@ -0,0 +1,10 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory" id="installed_env_mounts_tmp" version="1">
|
||||
+ {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}}
|
||||
+ <criteria>
|
||||
+ {{{ partition_exists_criterion("/tmp") }}}
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ {{{ partition_exists_tos("/tmp") }}}
|
||||
+</def-group>
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
new file mode 100644
|
||||
index 00000000000..a72f49c8a8f
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
@@ -0,0 +1,10 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory" id="installed_env_mounts_var_tmp" version="1">
|
||||
+ {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}}
|
||||
+ <criteria>
|
||||
+ {{{ partition_exists_criterion("/var/tmp") }}}
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ {{{ partition_exists_tos("/var/tmp") }}}
|
||||
+</def-group>
|
||||
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||
index 2d24f730d3f..478f0072bc7 100644
|
||||
--- a/shared/macros/10-ansible.jinja
|
||||
+++ b/shared/macros/10-ansible.jinja
|
||||
@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template.
|
||||
when:
|
||||
- result_pam_file_present.stat.exists
|
||||
{{%- endmacro -%}}
|
||||
+
|
||||
+
|
||||
+{{%- macro ansible_partition_conditional(path) -%}}
|
||||
+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
+{{%- endmacro -%}}
|
||||
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
|
||||
index 94c3c6f9570..6a7fb165fd2 100644
|
||||
--- a/shared/macros/10-bash.jinja
|
||||
+++ b/shared/macros/10-bash.jinja
|
||||
@@ -2085,3 +2085,8 @@ else
|
||||
echo "{{{ pam_file }}} was not found" >&2
|
||||
fi
|
||||
{{%- endmacro -%}}
|
||||
+
|
||||
+
|
||||
+{{%- macro bash_partition_conditional(path) -%}}
|
||||
+'findmnt --mountpoint "{{{ path }}}" > /dev/null'
|
||||
+{{%- endmacro -%}}
|
||||
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
|
||||
index c8d7bbeffb7..1ec93b6ef7d 100644
|
||||
--- a/shared/macros/10-oval.jinja
|
||||
+++ b/shared/macros/10-oval.jinja
|
||||
@@ -926,3 +926,24 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
|
||||
{{%- else %}}
|
||||
{{%- set user_list="nobody" %}}
|
||||
{{%- endif %}}
|
||||
+
|
||||
+
|
||||
+{{%- macro partition_exists_criterion(path) %}}
|
||||
+{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+ <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
+{{%- macro partition_exists_tos(path) %}}
|
||||
+{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+ <linux:partition_test check="all" check_existence="all_exist"
|
||||
+ comment="Partition {{{ path }}} exists"
|
||||
+ id="test_partition_{{{ escaped_path }}}_exists"
|
||||
+ version="1">
|
||||
+ <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
|
||||
+ {{#- <linux:partition_state state_ref="" /> #}}
|
||||
+ </linux:partition_test>
|
||||
+
|
||||
+ <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
|
||||
+ <linux:mount_point>{{{ path }}}</linux:mount_point>
|
||||
+ </linux:partition_object>
|
||||
+{{%- endmacro %}}
|
||||
|
||||
From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Thu, 21 Jul 2022 16:43:21 +0200
|
||||
Subject: [PATCH 2/3] Use partition exist platforms on a real rule
|
||||
|
||||
---
|
||||
.../partitions/mount_option_var_tmp_nodev/rule.yml | 3 ++-
|
||||
.../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh | 5 +++++
|
||||
2 files changed, 7 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||
index 8ee8c8b12e0..741d0973283 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||
@@ -38,7 +38,8 @@ references:
|
||||
stigid@ol8: OL08-00-040132
|
||||
stigid@rhel8: RHEL-08-040132
|
||||
|
||||
-platform: machine
|
||||
+platforms:
|
||||
+ - machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..241c0103d82
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it
|
||||
|
||||
From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 11:32:38 +0200
|
||||
Subject: [PATCH 3/3] Improve code style
|
||||
|
||||
- Improve description of OVAL macro
|
||||
- Use the escape_id filter to produce IDs
|
||||
---
|
||||
shared/checks/oval/installed_env_mounts_tmp.xml | 2 +-
|
||||
shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +-
|
||||
shared/macros/10-oval.jinja | 7 +++----
|
||||
3 files changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
index c1bcd6b2431..edd8ad050f5 100644
|
||||
--- a/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
@@ -6,5 +6,5 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- {{{ partition_exists_tos("/tmp") }}}
|
||||
+ {{{ partition_exists_test_object("/tmp") }}}
|
||||
</def-group>
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
index a72f49c8a8f..cf9aafbdb04 100644
|
||||
--- a/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
@@ -6,5 +6,5 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- {{{ partition_exists_tos("/var/tmp") }}}
|
||||
+ {{{ partition_exists_test_object("/var/tmp") }}}
|
||||
</def-group>
|
||||
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
|
||||
index 1ec93b6ef7d..f302091f7df 100644
|
||||
--- a/shared/macros/10-oval.jinja
|
||||
+++ b/shared/macros/10-oval.jinja
|
||||
@@ -929,18 +929,17 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
|
||||
|
||||
|
||||
{{%- macro partition_exists_criterion(path) %}}
|
||||
-{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+{{%- set escaped_path = path | escape_id %}}
|
||||
<criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
|
||||
{{%- endmacro %}}
|
||||
|
||||
-{{%- macro partition_exists_tos(path) %}}
|
||||
-{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+{{%- macro partition_exists_test_object(path) %}}
|
||||
+{{%- set escaped_path = path | escape_id %}}
|
||||
<linux:partition_test check="all" check_existence="all_exist"
|
||||
comment="Partition {{{ path }}} exists"
|
||||
id="test_partition_{{{ escaped_path }}}_exists"
|
||||
version="1">
|
||||
<linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
|
||||
- {{#- <linux:partition_state state_ref="" /> #}}
|
||||
</linux:partition_test>
|
||||
|
||||
<linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
|
@ -0,0 +1,92 @@
|
||||
From 51d7ee352dd2e90cb711d949cc59fb36c7fbe5da Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 13:35:50 +0200
|
||||
Subject: [PATCH] Add the platform applicability to relevant rules
|
||||
|
||||
---
|
||||
.../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_var_tmp_bind/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +-
|
||||
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||
index 45a73e0286a..79a19a8d30b 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||
@@ -45,7 +45,7 @@ references:
|
||||
stigid@ol8: OL08-00-040123
|
||||
stigid@rhel8: RHEL-08-040123
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||
index 7356183bab3..d3f6d6175e5 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||
@@ -44,7 +44,7 @@ references:
|
||||
stigid@ol8: OL08-00-040125
|
||||
stigid@rhel8: RHEL-08-040125
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||
index d153b86934f..10790dc95a7 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||
@@ -45,7 +45,7 @@ references:
|
||||
stigid@ol8: OL08-00-040124
|
||||
stigid@rhel8: RHEL-08-040124
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||
index 133e7727ca7..05992df4b49 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||
@@ -31,7 +31,7 @@ references:
|
||||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||||
nist-csf: PR.IP-1,PR.PT-3
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||
index 39fd458ec6b..dc00b2f2376 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||
@@ -38,7 +38,7 @@ references:
|
||||
stigid@ol8: OL08-00-040134
|
||||
stigid@rhel8: RHEL-08-040134
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||
index 349f3348955..f0c26b6d9c5 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||
@@ -38,7 +38,7 @@ references:
|
||||
stigid@ol8: OL08-00-040133
|
||||
stigid@rhel8: RHEL-08-040133
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
@ -0,0 +1,48 @@
|
||||
From 779ffcf0a51a1ad5a13e5b8ee29ce044d93eca55 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 15 Aug 2022 13:14:58 +0200
|
||||
Subject: [PATCH 1/2] Access the mounts via ansible_mounts
|
||||
|
||||
It seems that the data about ansible_mounts should be accessed without
|
||||
the 'ansible_facts' prefix.
|
||||
---
|
||||
shared/macros/10-ansible.jinja | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||
index 478f0072bc7..e8bff0973f5 100644
|
||||
--- a/shared/macros/10-ansible.jinja
|
||||
+++ b/shared/macros/10-ansible.jinja
|
||||
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
|
||||
|
||||
|
||||
{{%- macro ansible_partition_conditional(path) -%}}
|
||||
-"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
+"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
{{%- endmacro -%}}
|
||||
|
||||
From 4963d70d565919d0db6c0bc35f3fd4274d474310 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 15 Aug 2022 13:16:24 +0200
|
||||
Subject: [PATCH 2/2] Avoid use of json_query and additional dependency
|
||||
|
||||
The json_query filter requires package jmespath to be installed.
|
||||
|
||||
This also avoids mismatchs in python version between ansible and
|
||||
python3-jmespath. Some distros (RHEL8) don't have jmespath module
|
||||
available for the same python version ansible is using.
|
||||
---
|
||||
shared/macros/10-ansible.jinja | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||
index e8bff0973f5..beb2bc11403 100644
|
||||
--- a/shared/macros/10-ansible.jinja
|
||||
+++ b/shared/macros/10-ansible.jinja
|
||||
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
|
||||
|
||||
|
||||
{{%- macro ansible_partition_conditional(path) -%}}
|
||||
-"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
+'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list'
|
||||
{{%- endmacro -%}}
|
@ -0,0 +1,33 @@
|
||||
From 61ff9fd6f455ee49608cab2c851a3819c180c30a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 16 Aug 2022 18:53:02 +0200
|
||||
Subject: [PATCH] Don't fail rule if /etc/grubenv missing on s390x
|
||||
|
||||
There is no need to check /etc/grubenv for fips=1 on s390x systems, it
|
||||
uses zIPL.
|
||||
---
|
||||
.../integrity/fips/enable_fips_mode/oval/shared.xml | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index 65056a654c6..7af675de0d3 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -7,9 +7,16 @@
|
||||
<extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
|
||||
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
|
||||
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
|
||||
- {{% if product in ["ol8","rhel8"] %}}
|
||||
+ {{% if product in ["ol8"] %}}
|
||||
<criterion comment="check if the kernel boot parameter is configured for FIPS mode"
|
||||
test_ref="test_grubenv_fips_mode" />
|
||||
+ {{% elif product in ["rhel8"] %}}
|
||||
+ <criteria operator="OR">
|
||||
+ <extend_definition comment="Generic test for s390x architecture"
|
||||
+ definition_ref="system_info_architecture_s390_64" />
|
||||
+ <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
|
||||
+ test_ref="test_grubenv_fips_mode" />
|
||||
+ </criteria>
|
||||
{{% endif %}}
|
||||
</criteria>
|
||||
</definition>
|
@ -0,0 +1,107 @@
|
||||
From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 12:45:24 +0200
|
||||
Subject: [PATCH] Fix rule sudo_custom_logfile
|
||||
|
||||
- Allow only white space after the Default keyword to avoid
|
||||
matching words that only start with Default.
|
||||
- If the variable value contains slashes they need to be escaped
|
||||
because the sed command uses slashes as a separator, otherwise
|
||||
the sed doesn't replace the wrong line during a remediation.
|
||||
|
||||
Also adds 2 test scenarios.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109
|
||||
---
|
||||
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
|
||||
.../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++
|
||||
.../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++
|
||||
shared/templates/sudo_defaults_option/ansible.template | 2 +-
|
||||
shared/templates/sudo_defaults_option/bash.template | 5 +++--
|
||||
shared/templates/sudo_defaults_option/oval.template | 2 +-
|
||||
6 files changed, 14 insertions(+), 5 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
index 739f5f14936..94fbaaa33ed 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo'
|
||||
|
||||
ocil: |-
|
||||
To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
|
||||
- <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
|
||||
+ <pre>$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
|
||||
The command should return a matching output.
|
||||
|
||||
template:
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..13ff4559edb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ec24854f0f9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers
|
||||
diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template
|
||||
index 094fa430b64..c9e344ec772 100644
|
||||
--- a/shared/templates/sudo_defaults_option/ansible.template
|
||||
+++ b/shared/templates/sudo_defaults_option/ansible.template
|
||||
@@ -8,7 +8,7 @@
|
||||
- name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers
|
||||
lineinfile:
|
||||
path: /etc/sudoers
|
||||
- regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$'
|
||||
+ regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$'
|
||||
line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2'
|
||||
validate: /usr/sbin/visudo -cf %s
|
||||
backrefs: yes
|
||||
diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template
|
||||
index e3563d42db6..e7d962a668d 100644
|
||||
--- a/shared/templates/sudo_defaults_option/bash.template
|
||||
+++ b/shared/templates/sudo_defaults_option/bash.template
|
||||
@@ -9,7 +9,7 @@
|
||||
{{% endif %}}
|
||||
if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||
cp /etc/sudoers /etc/sudoers.bak
|
||||
- if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
|
||||
+ if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
|
||||
# sudoers file doesn't define Option {{{ OPTION }}}
|
||||
echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers
|
||||
{{%- if not VARIABLE_NAME %}}
|
||||
@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||
{{% if '/' in OPTION %}}
|
||||
{{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}}
|
||||
{{% endif %}}
|
||||
- sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers
|
||||
+ escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}}
|
||||
+ sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
|
||||
fi
|
||||
fi
|
||||
{{% endif %}}
|
||||
diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template
|
||||
index c0d81c95093..a9636a7204a 100644
|
||||
--- a/shared/templates/sudo_defaults_option/oval.template
|
||||
+++ b/shared/templates/sudo_defaults_option/oval.template
|
||||
@@ -13,7 +13,7 @@
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="object_{{{ OPTION }}}_sudoers" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal" >1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
@ -0,0 +1,967 @@
|
||||
From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Wed, 13 Apr 2022 20:06:18 +0800
|
||||
Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard
|
||||
|
||||
This patch fixes the issue that the array is expanded to wildcard path instead of its elements.
|
||||
A simple test case as follows:
|
||||
|
||||
/etc/rsyslog.conf
|
||||
include(file="/etc/rsyslog.d/*.conf" mode="optional")
|
||||
|
||||
/etc/rsyslog.d/custom1.conf
|
||||
local1.* /tmp/local1.out
|
||||
|
||||
/etc/rsyslog.d/custom2.conf
|
||||
local2.* /tmp/local2.out
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index b794ea8db31..02b0c36d899 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -5,8 +5,8 @@
|
||||
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
|
||||
+readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
|
||||
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Thu, 14 Apr 2022 15:58:04 +0800
|
||||
Subject: [PATCH 02/15] A better fix.
|
||||
|
||||
* Should also fixed the CI failure.
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 02b0c36d899..1aebb8f9da5 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -5,8 +5,10 @@
|
||||
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
|
||||
-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
|
||||
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
||||
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
||||
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 15 Apr 2022 10:47:37 +0800
|
||||
Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog
|
||||
|
||||
---
|
||||
.../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++
|
||||
.../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++
|
||||
2 files changed, 113 insertions(+)
|
||||
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
new file mode 100755
|
||||
index 00000000000..7cb09128d78
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -0,0 +1,56 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
||||
+
|
||||
+# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||
+# log file permissions 0600 from $IncludeConfig passes.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS=0600
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+mkdir ${conf_subdir}
|
||||
+test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+cat << EOF > ${test_subdir_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+EOF
|
||||
+
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+
|
||||
+EOF
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
new file mode 100755
|
||||
index 00000000000..942eaf086a1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -0,0 +1,57 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
||||
+
|
||||
+# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||
+# log file permissions 0601 from $IncludeConfig fails.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS_PASS=0600
|
||||
+PERMS_FAIL=0601
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+mkdir ${conf_subdir}
|
||||
+test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+cat << EOF > ${test_subdir_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+EOF
|
||||
+
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+
|
||||
+EOF
|
||||
|
||||
From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Thu, 19 May 2022 01:22:19 +0800
|
||||
Subject: [PATCH 04/15] The way using 'find' can be retired.
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 20 +++++--------------
|
||||
1 file changed, 5 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 1aebb8f9da5..cece5930ee8 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
-RSYSLOG_CONFIGS=()
|
||||
-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
+declare -a RSYSLOG_CONFIGS
|
||||
+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
|
||||
-# Get full list of files to be checked
|
||||
-# RSYSLOG_CONFIGS may contain globs such as
|
||||
-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
|
||||
-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
|
||||
-RSYSLOG_FILES=()
|
||||
-for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
-do
|
||||
- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")")
|
||||
- RSYSLOG_FILES+=("${FINDOUT[@]}")
|
||||
-done
|
||||
-
|
||||
-# Check file and fix if needed.
|
||||
-for LOG_FILE in "${RSYSLOG_FILES[@]}"
|
||||
+# Browse each file selected above as containing paths of log files
|
||||
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
||||
+for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
|
||||
do
|
||||
# From each of these files extract just particular log file path(s), thus:
|
||||
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
||||
|
||||
From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 20 May 2022 01:30:37 +0800
|
||||
Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/'
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index cece5930ee8..50d36d7426f 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
+# Array to hold all rsyslog config entries
|
||||
declare -a RSYSLOG_CONFIGS
|
||||
RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
|
||||
+# Array to hold all rsyslog config files
|
||||
+declare -a RSYSLOG_CONFIG_FILES
|
||||
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
+do
|
||||
+ # If directory, need to include files recursively
|
||||
+ if [ -d "${ENTRY}" ]
|
||||
+ then
|
||||
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
|
||||
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||
+ elif [ -f "${ENTRY}" ]
|
||||
+ then
|
||||
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
|
||||
+ else
|
||||
+ echo "Invalid include object: ${ENTRY}"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
# Browse each file selected above as containing paths of log files
|
||||
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
||||
-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
|
||||
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
|
||||
do
|
||||
# From each of these files extract just particular log file path(s), thus:
|
||||
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
||||
|
||||
From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 20 May 2022 01:46:33 +0800
|
||||
Subject: [PATCH 06/15] Update test files.
|
||||
|
||||
---
|
||||
.../tests/include_config_syntax_perms_0600.pass.sh | 2 ++
|
||||
.../tests/include_config_syntax_perms_0601.fail.sh | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
index 7cb09128d78..2ddd9fcb697 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF
|
||||
|
||||
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
|
||||
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
|
||||
|
||||
EOF
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index 942eaf086a1..73ff3332c6d 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF
|
||||
|
||||
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
|
||||
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
|
||||
|
||||
EOF
|
||||
|
||||
From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 20 May 2022 10:03:32 +0800
|
||||
Subject: [PATCH 07/15] Rsyslog says we should include all files
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
||||
.../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++-
|
||||
.../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++-
|
||||
3 files changed, 31 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 50d36d7426f..cd5014105e9 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -24,7 +24,7 @@ do
|
||||
# If directory, need to include files recursively
|
||||
if [ -d "${ENTRY}" ]
|
||||
then
|
||||
- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
|
||||
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f)
|
||||
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||
elif [ -f "${ENTRY}" ]
|
||||
then
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
index 2ddd9fcb697..755865ca522 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh
|
||||
PERMS=0600
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 3
|
||||
+create_rsyslog_test_logs 4
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
|
||||
|
||||
# create test configuration file
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
mkdir ${conf_subdir}
|
||||
test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+
|
||||
cat << EOF > ${test_subdir_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
@@ -31,12 +35,22 @@ EOF
|
||||
|
||||
cat << EOF > ${test_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_bak}
|
||||
+# rsyslog configuration file
|
||||
+# test_bak
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index 73ff3332c6d..063b1a0cbe5 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -10,20 +10,24 @@ PERMS_PASS=0600
|
||||
PERMS_FAIL=0601
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 3
|
||||
+create_rsyslog_test_logs 4
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
|
||||
|
||||
# create test configuration file
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
mkdir ${conf_subdir}
|
||||
test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+
|
||||
cat << EOF > ${test_subdir_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
@@ -32,12 +36,22 @@ EOF
|
||||
|
||||
cat << EOF > ${test_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_bak}
|
||||
+# rsyslog configuration file
|
||||
+# test_bak
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
|
||||
From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Sat, 21 May 2022 16:02:26 +0800
|
||||
Subject: [PATCH 08/15] Match glob() function of rsyslog
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 5 ++-
|
||||
.../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++-------
|
||||
.../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++-------
|
||||
3 files changed, 55 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index cd5014105e9..38105bf086b 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS
|
||||
declare -a RSYSLOG_CONFIG_FILES
|
||||
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
do
|
||||
- # If directory, need to include files recursively
|
||||
+ # If directory, rsyslog will search for config files in recursively.
|
||||
+ # However, files in hidden sub-directories or hidden files will be ignored.
|
||||
if [ -d "${ENTRY}" ]
|
||||
then
|
||||
- readarray -t FINDOUT < <(find "${ENTRY}" -type f)
|
||||
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
|
||||
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||
elif [ -f "${ENTRY}" ]
|
||||
then
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
index 755865ca522..a5a2f67fadc 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh
|
||||
PERMS=0600
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 4
|
||||
+create_rsyslog_test_logs 5
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[4]}
|
||||
|
||||
-# create test configuration file
|
||||
+# create test configuration files
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
|
||||
mkdir ${conf_subdir}
|
||||
-test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+mkdir ${conf_hiddir}
|
||||
|
||||
-cat << EOF > ${test_subdir_conf}
|
||||
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
|
||||
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
|
||||
+
|
||||
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
|
||||
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
|
||||
+
|
||||
+cat << EOF > ${test_conf_in_subdir}
|
||||
# rsyslog configuration file
|
||||
-# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_conf}
|
||||
+cat << EOF > ${test_conf_name_bak}
|
||||
# rsyslog configuration file
|
||||
-# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_bak}
|
||||
+cat << EOF > ${test_conf_in_hiddir}
|
||||
# rsyslog configuration file
|
||||
-# test_bak
|
||||
+# not used
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_conf_dot_name}
|
||||
+# rsyslog configuration file
|
||||
+# not used
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[4]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index 063b1a0cbe5..a9d0adfb727 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -10,48 +10,61 @@ PERMS_PASS=0600
|
||||
PERMS_FAIL=0601
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 4
|
||||
+create_rsyslog_test_logs 5
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]}
|
||||
|
||||
-# create test configuration file
|
||||
+# create test configuration files
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
|
||||
mkdir ${conf_subdir}
|
||||
-test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+mkdir ${conf_hiddir}
|
||||
|
||||
-cat << EOF > ${test_subdir_conf}
|
||||
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
|
||||
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
|
||||
+
|
||||
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
|
||||
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
|
||||
+
|
||||
+cat << EOF > ${test_conf_in_subdir}
|
||||
# rsyslog configuration file
|
||||
-# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_conf}
|
||||
+cat << EOF > ${test_conf_name_bak}
|
||||
# rsyslog configuration file
|
||||
-# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_bak}
|
||||
+cat << EOF > ${test_conf_in_hiddir}
|
||||
# rsyslog configuration file
|
||||
-# test_bak
|
||||
+# not used
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_conf_dot_name}
|
||||
+# rsyslog configuration file
|
||||
+# not used
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[4]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
|
||||
From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Sun, 22 May 2022 21:10:16 +0800
|
||||
Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 38105bf086b..e1129e34c81 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -54,7 +54,7 @@ do
|
||||
then
|
||||
NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
|
||||
LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
|
||||
- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
|
||||
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}")
|
||||
CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
|
||||
MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
|
||||
# Since above sed command might return more than one item (delimited by newline), split the particular
|
||||
|
||||
From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Tue, 24 May 2022 00:42:17 +0800
|
||||
Subject: [PATCH 10/15] Added platform.
|
||||
|
||||
---
|
||||
.../tests/include_config_syntax_perms_0601.fail.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index a9d0adfb727..fe4db0a3c91 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -1,5 +1,5 @@
|
||||
#!/bin/bash
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
||||
|
||||
# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||
# log file permissions 0601 from $IncludeConfig fails.
|
||||
|
||||
From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 13:56:39 +0200
|
||||
Subject: [PATCH 11/15] Reset the arrays before using them
|
||||
|
||||
When bash remediations for a profile are generated, it can happen that a
|
||||
variable with same name is used for multiple remediations.
|
||||
So let's reset the array before using it.
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index e1129e34c81..d1856ffbe7b 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
# Array to hold all rsyslog config entries
|
||||
-declare -a RSYSLOG_CONFIGS
|
||||
-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
+RSYSLOG_CONFIGS=()
|
||||
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
|
||||
-# Array to hold all rsyslog config files
|
||||
-declare -a RSYSLOG_CONFIG_FILES
|
||||
+# Get full list of files to be checked
|
||||
+# RSYSLOG_CONFIGS may contain globs such as
|
||||
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
|
||||
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
|
||||
+RSYSLOG_CONFIG_FILES=()
|
||||
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
do
|
||||
# If directory, rsyslog will search for config files in recursively.
|
||||
|
||||
From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 14:55:37 +0200
|
||||
Subject: [PATCH 12/15] Don't parse hidden config files for Includes
|
||||
|
||||
Let's follow rsyslog behavior and not capture process hidden config
|
||||
files for includes.
|
||||
---
|
||||
.../rsyslog_files_permissions/oval/shared.xml | 9 ++++
|
||||
...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++
|
||||
2 files changed, 62 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
index a04e6fd8900..d13177216c3 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
@@ -17,8 +17,17 @@
|
||||
<ind:filepath>/etc/rsyslog.conf</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <filter action="exclude">state_permissions_ignore_hidden_paths</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_permissions_ignore_hidden_paths" comment="ignore hidden conf files" version="1">
|
||||
+ <!-- Among the paths matched in object_rfp_rsyslog_include_config_value there can be paths from
|
||||
+ include() or $IncludeConfig that point to hidden dirs or files.
|
||||
+ Rsyslog ignores these conf files, so we should ignore them too.
|
||||
+ -->
|
||||
+ <ind:subexpression operation="pattern match">^.*\/\..*$</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
<!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
|
||||
<local_variable id="var_rfp_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
|
||||
<unique>
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..9b0185c6b2f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||
@@ -0,0 +1,53 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
|
||||
+
|
||||
+# Check rsyslog.conf with log file permisssions 0600 from rules and
|
||||
+# log file permissions 0601 from include() fails.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS_PASS=0600
|
||||
+PERMS_FAIL=0601
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# create hidden test2 configuration file
|
||||
+test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf
|
||||
+cat << EOF > ${test_conf2}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+EOF
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${test_conf}")
|
||||
+
|
||||
+\$IncludeConfig ${test_conf2}
|
||||
+EOF
|
||||
|
||||
From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 15:49:11 +0200
|
||||
Subject: [PATCH 13/15] Add test for for missing rsyslog included files
|
||||
|
||||
The rsyslog conf file may include other config files.
|
||||
If the included missing files are missing rsyslog will generate an
|
||||
error, but will still continue working.
|
||||
https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file
|
||||
|
||||
There is not a good way of ensuring that all files defined in a list of paths exist.
|
||||
---
|
||||
...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++
|
||||
1 file changed, 45 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..b929f2a94ab
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||
@@ -0,0 +1,45 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
|
||||
+
|
||||
+# Check rsyslog.conf with log file permisssions 0600 from rules and
|
||||
+# log file permissions 0601 from include() fails.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS_PASS=0600
|
||||
+PERMS_FAIL=0601
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# Skip creation test2 configuration file
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${test_conf}")
|
||||
+
|
||||
+\$IncludeConfig ${test_conf2}
|
||||
+EOF
|
||||
|
||||
From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 21:47:18 +0200
|
||||
Subject: [PATCH 14/15] Align Ansible remediation with Bash
|
||||
|
||||
The remediation now expands the glob expressions and doesn't collect
|
||||
hidden files or directories to check for their permissions.
|
||||
---
|
||||
.../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++----
|
||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
index 635b72f7352..c558bf46c71 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
@@ -19,19 +19,26 @@
|
||||
shell: |
|
||||
set -o pipefail
|
||||
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
|
||||
- register: include_config_output
|
||||
+ register: rsyslog_old_inc
|
||||
changed_when: False
|
||||
|
||||
- name: "Get include files directives"
|
||||
shell: |
|
||||
set -o pipefail
|
||||
grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
|
||||
- register: include_files_output
|
||||
+ register: rsyslog_new_inc
|
||||
changed_when: False
|
||||
|
||||
+- name: "Expand glob expressions"
|
||||
+ shell: |
|
||||
+ set -o pipefail
|
||||
+ eval printf '%s\\n' {{ item }}
|
||||
+ register: include_config_output
|
||||
+ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
|
||||
+
|
||||
- name: "List all config files"
|
||||
- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")"
|
||||
- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}"
|
||||
+ shell: find {{ item }} -not -path "*/.*" -type f
|
||||
+ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
|
||||
register: rsyslog_config_files
|
||||
changed_when: False
|
||||
|
||||
|
||||
From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 21:56:05 +0200
|
||||
Subject: [PATCH 15/15] Ignore invalid or non existing include objects
|
||||
|
||||
Let's not fail the task when the find doesn't find the include object.
|
||||
When the include is a glob expression that doesn't evaluate to any file
|
||||
the glob itself is used in find command.
|
||||
|
||||
The Bash remediation prints a message for each include that is not a
|
||||
file is not a directory or doesn't exist.
|
||||
---
|
||||
.../rsyslog_files_permissions/ansible/shared.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
index c558bf46c71..3a9380cf13b 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
@@ -40,6 +40,7 @@
|
||||
shell: find {{ item }} -not -path "*/.*" -type f
|
||||
loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
|
||||
register: rsyslog_config_files
|
||||
+ failed_when: False
|
||||
changed_when: False
|
||||
|
||||
- name: "Extract log files"
|
@ -0,0 +1,90 @@
|
||||
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:15 +0200
|
||||
Subject: [PATCH 1/4] fix ospp references
|
||||
|
||||
---
|
||||
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
index c151d3c4aa1..f9b46c51ddd 100644
|
||||
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
@@ -34,6 +34,7 @@ references:
|
||||
disa: CCI-000213
|
||||
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth
|
||||
nist: AC-3
|
||||
+ ospp: FIA_UAU.1,FIA_AFL.1
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
|
||||
ocil: |-
|
||||
|
||||
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:42 +0200
|
||||
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
|
||||
|
||||
---
|
||||
products/rhel9/profiles/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index b47630c62b0..dcc41970043 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -115,7 +115,7 @@ selections:
|
||||
- coredump_disable_storage
|
||||
- coredump_disable_backtraces
|
||||
- service_systemd-coredump_disabled
|
||||
- - var_authselect_profile=sssd
|
||||
+ - var_authselect_profile=minimal
|
||||
- enable_authselect
|
||||
- use_pam_wheel_for_su
|
||||
|
||||
|
||||
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:54 +0200
|
||||
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
|
||||
|
||||
---
|
||||
products/rhel8/profiles/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||
index 39ad1797c7a..ebec8a3a6f9 100644
|
||||
--- a/products/rhel8/profiles/ospp.profile
|
||||
+++ b/products/rhel8/profiles/ospp.profile
|
||||
@@ -220,7 +220,7 @@ selections:
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- accounts_max_concurrent_login_sessions
|
||||
- securetty_root_login_console_only
|
||||
- - var_authselect_profile=sssd
|
||||
+ - var_authselect_profile=minimal
|
||||
- enable_authselect
|
||||
- var_password_pam_unix_remember=5
|
||||
- accounts_password_pam_unix_remember
|
||||
|
||||
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 13:55:05 +0200
|
||||
Subject: [PATCH 4/4] update profile stability test
|
||||
|
||||
---
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 5d73a8c6fef..21e93e310d5 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -242,7 +242,7 @@ selections:
|
||||
- var_slub_debug_options=P
|
||||
- var_auditd_flush=incremental_async
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
-- var_authselect_profile=sssd
|
||||
+- var_authselect_profile=minimal
|
||||
- var_password_pam_unix_remember=5
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
@ -0,0 +1,50 @@
|
||||
From b36ecf8942ce8dea0c4a2b06b4607259deaf3613 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 09:59:57 +0200
|
||||
Subject: [PATCH] switch rule grub2_disable_interactive_boot for
|
||||
grub2_disable_recovery in rhel8 ospp
|
||||
|
||||
---
|
||||
.../system/bootloader-grub2/grub2_disable_recovery/rule.yml | 1 +
|
||||
products/rhel8/profiles/ospp.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||
4 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||
index 4f8d4ddcfde..fb126cbe7d8 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||
@@ -17,6 +17,7 @@ rationale: |-
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
+ cce@rhel8: CCE-86006-4
|
||||
cce@rhel9: CCE-85986-8
|
||||
|
||||
references:
|
||||
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||
index ebec8a3a6f9..6e3b30f64bb 100644
|
||||
--- a/products/rhel8/profiles/ospp.profile
|
||||
+++ b/products/rhel8/profiles/ospp.profile
|
||||
@@ -304,7 +304,7 @@ selections:
|
||||
## Disable Unauthenticated Login (such as Guest Accounts)
|
||||
## FIA_UAU.1
|
||||
- require_singleuser_auth
|
||||
- - grub2_disable_interactive_boot
|
||||
+ - grub2_disable_recovery
|
||||
- grub2_uefi_password
|
||||
- no_empty_passwords
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 21e93e310d5..267b66a4f89 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -89,7 +89,7 @@ selections:
|
||||
- ensure_redhat_gpgkey_installed
|
||||
- grub2_audit_argument
|
||||
- grub2_audit_backlog_limit_argument
|
||||
-- grub2_disable_interactive_boot
|
||||
+- grub2_disable_recovery
|
||||
- grub2_kernel_trust_cpu_rng
|
||||
- grub2_page_poison_argument
|
||||
- grub2_pti_argument
|
97
SOURCES/scap-security-guide-0.1.64-stig_aide-PR_9282.patch
Normal file
97
SOURCES/scap-security-guide-0.1.64-stig_aide-PR_9282.patch
Normal file
@ -0,0 +1,97 @@
|
||||
From 95b79ffa7e9247bd65a92311b92e37b0d83e4432 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Aug 2022 15:01:42 +0200
|
||||
Subject: [PATCH] Add rsyslogd to the list of tools check by aide
|
||||
|
||||
RHEL products will also check for integrity of /usr/sbin/rsyslogd.
|
||||
---
|
||||
.../aide/aide_check_audit_tools/ansible/shared.yml | 1 +
|
||||
.../aide/aide_check_audit_tools/bash/shared.sh | 3 +--
|
||||
.../aide/aide_check_audit_tools/oval/shared.xml | 2 +-
|
||||
.../aide/aide_check_audit_tools/tests/correct.pass.sh | 2 +-
|
||||
.../aide_check_audit_tools/tests/correct_with_selinux.pass.sh | 2 +-
|
||||
.../aide/aide_check_audit_tools/tests/not_config.fail.sh | 2 +-
|
||||
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||
index 9d1b7b675c9..5905ea8d0e6 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||
@@ -22,6 +22,7 @@
|
||||
- /usr/sbin/aureport
|
||||
- /usr/sbin/ausearch
|
||||
- /usr/sbin/autrace
|
||||
+ {{% if product == 'ol8' or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}}
|
||||
|
||||
- name: Ensure existing AIDE configuration for audit tools are correct
|
||||
lineinfile:
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||
index d0a1ba2522f..a81e25c3950 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||
@@ -18,12 +18,11 @@
|
||||
{{% set auditfiles = auditfiles + ["/usr/sbin/audispd"] %}}
|
||||
{{% endif %}}
|
||||
|
||||
-{{% if product == 'ol8' %}}
|
||||
+{{% if product == 'ol8' or 'rhel' in product %}}
|
||||
{{% set auditfiles = auditfiles + ["/usr/sbin/rsyslogd"] %}}
|
||||
{{% endif %}}
|
||||
|
||||
{{% for file in auditfiles %}}
|
||||
-
|
||||
if grep -i '^.*{{{file}}}.*$' {{{ aide_conf_path }}}; then
|
||||
sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}}
|
||||
else
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||
index 6ce56c1137a..ca9bf4f94d0 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||
@@ -11,7 +11,7 @@
|
||||
{{% if 'rhel' not in product and product != 'ol8' %}}
|
||||
<criterion comment="audispd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_audispd" />
|
||||
{{% endif %}}
|
||||
- {{% if product == 'ol8' %}}
|
||||
+ {{% if product == 'ol8' or 'rhel' in product %}}
|
||||
<criterion comment="rsyslogd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_rsyslogd" />
|
||||
{{% endif %}}
|
||||
<criterion comment="augenrules is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_augenrules" />
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||
index 756b88d8a23..071dde13295 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||
@@ -7,7 +7,7 @@ aide --init
|
||||
|
||||
|
||||
declare -a bins
|
||||
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||
|
||||
for theFile in "${bins[@]}"
|
||||
do
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||
index f3a2a126d3d..cb9bbfa7350 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||
@@ -4,7 +4,7 @@
|
||||
yum -y install aide
|
||||
|
||||
declare -a bins
|
||||
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||
|
||||
for theFile in "${bins[@]}"
|
||||
do
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||
index 4315cef2073..a22aecb0000 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||
@@ -6,7 +6,7 @@ yum -y install aide
|
||||
aide --init
|
||||
|
||||
declare -a bins
|
||||
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||
|
||||
for theFile in "${bins[@]}"
|
||||
do
|
4490
SOURCES/scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
Normal file
4490
SOURCES/scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
Normal file
File diff suppressed because one or more lines are too long
@ -0,0 +1,187 @@
|
||||
From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 1 Aug 2022 17:50:37 +0200
|
||||
Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding
|
||||
|
||||
This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and
|
||||
sysctl_net_ipv4_forward.
|
||||
---
|
||||
.../rule.yml | 44 +++++++++++++++++++
|
||||
...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
3 files changed, 61 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..7b0066f7c29
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
@@ -0,0 +1,44 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ IP forwarding permits the kernel to forward packets from one network
|
||||
+ interface to another. The ability to forward packets between two networks is
|
||||
+ only appropriate for systems acting as routers.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: CCE-86220-1
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6(b)
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+ stigid@rhel8: RHEL-08-040259
|
||||
+
|
||||
+ocil_clause: 'IP forwarding value is "1" and the system is not router'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}
|
||||
+ The ability to forward packets is only appropriate for routers.
|
||||
+
|
||||
+fixtext: |-
|
||||
+ Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands:
|
||||
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}}
|
||||
+
|
||||
+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.'
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: net.ipv4.conf.all.forwarding
|
||||
+ datatype: int
|
||||
+
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||
new file mode 100644
|
||||
index 00000000000..2aedd6e6432
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||
@@ -0,0 +1,17 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: net.ipv4.conf.all.forwarding
|
||||
+
|
||||
+description: 'Toggle IPv4 Forwarding'
|
||||
+
|
||||
+type: number
|
||||
+
|
||||
+operator: equals
|
||||
+
|
||||
+interactive: false
|
||||
+
|
||||
+options:
|
||||
+ default: "0"
|
||||
+ disabled: "0"
|
||||
+ enabled: 1
|
||||
+
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 914233f06bf..3e14b73dd71 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -168,7 +168,6 @@ CCE-86216-9
|
||||
CCE-86217-7
|
||||
CCE-86218-5
|
||||
CCE-86219-3
|
||||
-CCE-86220-1
|
||||
CCE-86221-9
|
||||
CCE-86222-7
|
||||
CCE-86223-5
|
||||
|
||||
From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 1 Aug 2022 17:53:32 +0200
|
||||
Subject: [PATCH 2/2] Better align with RHEL-08-040259
|
||||
|
||||
The item is about net.ipv4.conf.all.forwarding
|
||||
The update to V1R7 made brought this misalignment to light.
|
||||
---
|
||||
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 -
|
||||
products/rhel8/profiles/stig.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
|
||||
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
|
||||
4 files changed, 4 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||
index 5c449db7f3a..7acfc0b05b6 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||
@@ -45,7 +45,6 @@ references:
|
||||
stigid@ol7: OL07-00-040740
|
||||
stigid@ol8: OL08-00-040260
|
||||
stigid@rhel7: RHEL-07-040740
|
||||
- stigid@rhel8: RHEL-08-040259
|
||||
stigid@sle12: SLES-12-030430
|
||||
stigid@sle15: SLES-15-040380
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 4b480bd2c11..6b44436a2b1 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -1127,7 +1127,7 @@ selections:
|
||||
- sysctl_net_ipv6_conf_default_accept_source_route
|
||||
|
||||
# RHEL-08-040259
|
||||
- - sysctl_net_ipv4_ip_forward
|
||||
+ - sysctl_net_ipv4_conf_all_forwarding
|
||||
|
||||
# RHEL-08-040260
|
||||
- sysctl_net_ipv6_conf_all_forwarding
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 4bee72830d0..47f53a9d023 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -1,7 +1,7 @@
|
||||
title: DISA STIG for Red Hat Enterprise Linux 8
|
||||
description: 'This profile contains configuration checks that align to the
|
||||
|
||||
- DISA STIG for Red Hat Enterprise Linux 8 V1R7
|
||||
+ DISA STIG for Red Hat Enterprise Linux 8 V1R7.
|
||||
|
||||
|
||||
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|
||||
@@ -395,13 +395,13 @@ selections:
|
||||
- sysctl_net_core_bpf_jit_harden
|
||||
- sysctl_net_ipv4_conf_all_accept_redirects
|
||||
- sysctl_net_ipv4_conf_all_accept_source_route
|
||||
+- sysctl_net_ipv4_conf_all_forwarding
|
||||
- sysctl_net_ipv4_conf_all_rp_filter
|
||||
- sysctl_net_ipv4_conf_all_send_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_source_route
|
||||
- sysctl_net_ipv4_conf_default_send_redirects
|
||||
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||||
-- sysctl_net_ipv4_ip_forward
|
||||
- sysctl_net_ipv6_conf_all_accept_ra
|
||||
- sysctl_net_ipv6_conf_all_accept_redirects
|
||||
- sysctl_net_ipv6_conf_all_accept_source_route
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index ece32d06a6f..c4e60ddcde5 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -405,13 +405,13 @@ selections:
|
||||
- sysctl_net_core_bpf_jit_harden
|
||||
- sysctl_net_ipv4_conf_all_accept_redirects
|
||||
- sysctl_net_ipv4_conf_all_accept_source_route
|
||||
+- sysctl_net_ipv4_conf_all_forwarding
|
||||
- sysctl_net_ipv4_conf_all_rp_filter
|
||||
- sysctl_net_ipv4_conf_all_send_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_source_route
|
||||
- sysctl_net_ipv4_conf_default_send_redirects
|
||||
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||||
-- sysctl_net_ipv4_ip_forward
|
||||
- sysctl_net_ipv6_conf_all_accept_ra
|
||||
- sysctl_net_ipv6_conf_all_accept_redirects
|
||||
- sysctl_net_ipv6_conf_all_accept_source_route
|
@ -0,0 +1,89 @@
|
||||
From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 9 Aug 2022 17:28:33 +0200
|
||||
Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG
|
||||
profile.
|
||||
|
||||
---
|
||||
.../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 1 +
|
||||
.../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 +
|
||||
products/rhel8/profiles/stig.profile | 14 +++++++-------
|
||||
tests/data/profile_stability/rhel8/stig.profile | 2 ++
|
||||
.../data/profile_stability/rhel8/stig_gui.profile | 2 ++
|
||||
5 files changed, 13 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
index 46ea0558a42..1e9c6172758 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
@@ -57,6 +57,7 @@ references:
|
||||
stigid@ol7: OL07-00-040320
|
||||
stigid@ol8: OL08-00-010201
|
||||
stigid@rhel7: RHEL-07-040320
|
||||
+ stigid@rhel8: RHEL-08-010201
|
||||
stigid@sle12: SLES-12-030190
|
||||
stigid@sle15: SLES-15-010280
|
||||
stigid@ubuntu2004: UBTU-20-010037
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
index 0f0693ddc6c..f6e98a61d9a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
@@ -53,6 +53,7 @@ references:
|
||||
stigid@ol7: OL07-00-040340
|
||||
stigid@ol8: OL08-00-010200
|
||||
stigid@rhel7: RHEL-07-040340
|
||||
+ stigid@rhel8: RHEL-08-010200
|
||||
stigid@sle12: SLES-12-030191
|
||||
stigid@sle15: SLES-15-010320
|
||||
vmmsrg: SRG-OS-000480-VMM-002000
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 6b44436a2b1..124b7520d3a 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -170,13 +170,13 @@ selections:
|
||||
# RHEL-08-010190
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
|
||||
- # These two items don't behave as they used to in RHEL8.6 and RHEL9
|
||||
- # anymore. They will be disabled for now until an alternative
|
||||
- # solution is found.
|
||||
- # # RHEL-08-010200
|
||||
- # - sshd_set_keepalive_0
|
||||
- # # RHEL-08-010201
|
||||
- # - sshd_set_idle_timeout
|
||||
+ # Although these rules have a different behavior in RHEL>=8.6
|
||||
+ # they still need to be selected so it follows exactly what STIG
|
||||
+ # states.
|
||||
+ # RHEL-08-010200
|
||||
+ - sshd_set_keepalive_0
|
||||
+ # RHEL-08-010201
|
||||
+ - sshd_set_idle_timeout
|
||||
|
||||
# RHEL-08-010210
|
||||
- file_permissions_var_log_messages
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 47f53a9d023..6c75d0ae1b1 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -369,6 +369,8 @@ selections:
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
+- sshd_set_idle_timeout
|
||||
+- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index c4e60ddcde5..8a7a469b940 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -379,6 +379,8 @@ selections:
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
+- sshd_set_idle_timeout
|
||||
+- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
@ -0,0 +1,113 @@
|
||||
From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Aug 2022 15:57:52 +0200
|
||||
Subject: [PATCH 1/2] Accept sudoers files without includes as compliant
|
||||
|
||||
Update rule sudoers_default_includedir to accept as compliant sudoers
|
||||
files that don't have any #include or #includedir directive
|
||||
---
|
||||
.../oval/shared.xml | 24 +++++++++++++++----
|
||||
.../sudo/sudoers_default_includedir/rule.yml | 8 ++++---
|
||||
...cludedir.fail.sh => no_includedir.pass.sh} | 2 +-
|
||||
3 files changed, 26 insertions(+), 8 deletions(-)
|
||||
rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
index 59cab0b89de..629fbe8c6d2 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
@@ -1,10 +1,16 @@
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
{{{ oval_metadata("Check if sudo includes only the default includedir") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||
+ <criteria operator="OR">
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
|
||||
+ <criterion comment="Check /etc/sudoers doesn't have any #includedir" test_ref="test_sudoers_without_includedir" />
|
||||
+ </criteria>
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
+ <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||
+ <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||
+ </criteria>
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
@@ -32,6 +38,16 @@
|
||||
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="audit augenrules rmmod" id="test_sudoers_without_includedir" version="1">
|
||||
+ <ind:object object_ref="object_sudoers_without_includedir" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_sudoers_without_includedir" version="1">
|
||||
+ <ind:filepath>/etc/sudoers</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^#includedir[\s]+.*$</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
<ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
|
||||
<ind:object object_ref="object_sudoersd_without_includes" />
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
index aa2aaee19f8..83bfb0183bd 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
@@ -8,9 +8,11 @@ description: |-
|
||||
Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
|
||||
other directories and configuration files from the file currently being parsed.
|
||||
|
||||
- Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
|
||||
- The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
|
||||
- <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
|
||||
+ Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>,
|
||||
+ or that no drop-in file is included.
|
||||
+ Either the <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
|
||||
+ <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories;
|
||||
+ Or the <tt>/etc/sudoers</tt> should not contain any <tt>#include</tt> or <tt>#includedir</tt> directives.
|
||||
Note that the '#' character doesn't denote a comment in the configuration file.
|
||||
|
||||
rationale: |-
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||
similarity index 51%
|
||||
rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||
rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||
index 1e0ab8aea92..fe73cb25076 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
#!/bin/bash
|
||||
# platform = multi_platform_all
|
||||
|
||||
-sed -i "/#includedir.*/d" /etc/sudoers
|
||||
+sed -i "/#include(dir)?.*/d" /etc/sudoers
|
||||
|
||||
From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 12:01:12 +0200
|
||||
Subject: [PATCH 2/2] Improve definition's comments
|
||||
|
||||
---
|
||||
.../software/sudo/sudoers_default_includedir/oval/shared.xml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
index 629fbe8c6d2..82095acc6ed 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
@@ -8,8 +8,8 @@
|
||||
</criteria>
|
||||
<criteria operator="AND">
|
||||
<criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
|
||||
+ <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />
|
||||
</criteria>
|
||||
</criteria>
|
||||
</definition>
|
@ -0,0 +1,358 @@
|
||||
From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 09:57:33 +0200
|
||||
Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values
|
||||
|
||||
This also removes value '0' from the list of possible configurations.
|
||||
This change aligns the rule better with STIG.
|
||||
---
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 4 ++++
|
||||
.../tests/value_1.pass.sh | 10 ++++++++++
|
||||
.../tests/value_2.pass.sh | 10 ++++++++++
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter_value.var | 2 +-
|
||||
4 files changed, 25 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
index 496a8491f32..697f79fa872 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
@@ -59,4 +59,8 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: net.ipv4.conf.all.rp_filter
|
||||
+ sysctlval:
|
||||
+ - '1'
|
||||
+ - '2'
|
||||
+ wrong_sysctlval_for_testing: "0"
|
||||
datatype: int
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..516bfaf1369
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
|
||||
+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w net.ipv4.conf.all.rp_filter="1"
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ef1b8da0479
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
|
||||
+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w net.ipv4.conf.all.rp_filter="2"
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||
index e3fc78e3f05..1eae854f6b0 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||
@@ -17,5 +17,5 @@ interactive: false
|
||||
|
||||
options:
|
||||
default: 1
|
||||
- disabled: "0"
|
||||
enabled: 1
|
||||
+ loose: 2
|
||||
|
||||
From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 10:53:40 +0200
|
||||
Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values
|
||||
|
||||
This also removes value '0' from the list of possible configurations.
|
||||
This change aligns the rule better with STIG.
|
||||
---
|
||||
.../sysctl_kernel_kptr_restrict/rule.yml | 4 ++++
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 10 ++++++++++
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 10 ++++++++++
|
||||
.../sysctl_kernel_kptr_restrict_value.var | 1 -
|
||||
4 files changed, 24 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
index 1984b3c8691..5706eee0a0a 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
@@ -42,6 +42,10 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: kernel.kptr_restrict
|
||||
+ sysctlval:
|
||||
+ - '1'
|
||||
+ - '2'
|
||||
+ wrong_sysctlval_for_testing: "0"
|
||||
datatype: int
|
||||
|
||||
fixtext: |-
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..e6efae48b25
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
|
||||
+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.kptr_restrict="1"
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..be3f2b743ef
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
|
||||
+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.kptr_restrict="2"
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||
index 452328e3efd..268550de53d 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||
@@ -12,6 +12,5 @@ interactive: false
|
||||
|
||||
options:
|
||||
default: 1
|
||||
- 0: 0
|
||||
1: 1
|
||||
2: 2
|
||||
|
||||
From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 11:08:34 +0200
|
||||
Subject: [PATCH 3/5] Remove variable selector that will result in error
|
||||
|
||||
The rule only accepts values 1 or 2 as compliant, the XCCDF Variable
|
||||
cannot have the value 0, it will never result in pass.
|
||||
---
|
||||
.../sysctl_kernel_unprivileged_bpf_disabled_value.var | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||
index b8bf965a255..cbfd9bafa91 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||
@@ -13,6 +13,5 @@ interactive: false
|
||||
|
||||
options:
|
||||
default: 2
|
||||
- 0: "0"
|
||||
1: "1"
|
||||
2: "2"
|
||||
|
||||
From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 11:33:03 +0200
|
||||
Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol
|
||||
|
||||
For now, the only STIGs I see that adopted this change were RHEL's and
|
||||
OL's.
|
||||
---
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 2 ++
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh | 1 +
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh | 1 +
|
||||
.../sysctl_kernel_kptr_restrict/rule.yml | 2 ++
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 1 +
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 1 +
|
||||
6 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
index 697f79fa872..f04ae37c13d 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
@@ -59,8 +59,10 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: net.ipv4.conf.all.rp_filter
|
||||
+ {{% if 'ol' in product or 'rhel' in product %}}
|
||||
sysctlval:
|
||||
- '1'
|
||||
- '2'
|
||||
wrong_sysctlval_for_testing: "0"
|
||||
+ {{% endif %}}
|
||||
datatype: int
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
index 516bfaf1369..583b70a3b97 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
index ef1b8da0479..ef545976dc6 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
index 5706eee0a0a..f53e035effa 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
@@ -42,10 +42,12 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: kernel.kptr_restrict
|
||||
+ {{% if 'ol' in product or 'rhel' in product %}}
|
||||
sysctlval:
|
||||
- '1'
|
||||
- '2'
|
||||
wrong_sysctlval_for_testing: "0"
|
||||
+ {{% endif %}}
|
||||
datatype: int
|
||||
|
||||
fixtext: |-
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
index e6efae48b25..70189666c16 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
index be3f2b743ef..209395fa9a1 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
|
||||
From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 14:01:40 +0200
|
||||
Subject: [PATCH 5/5] Update OCIL check along with the rule
|
||||
|
||||
The OCIL should should mention both compliant values.
|
||||
---
|
||||
.../rule.yml | 29 +++++++++++++++++--
|
||||
.../sysctl_kernel_kptr_restrict/rule.yml | 29 ++++++++++++++++++-
|
||||
2 files changed, 55 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
index f04ae37c13d..4d31c6c3ebd 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
@@ -47,11 +47,36 @@ references:
|
||||
stigid@rhel7: RHEL-07-040611
|
||||
stigid@rhel8: RHEL-08-040285
|
||||
|
||||
-{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}}
|
||||
+ocil: |-
|
||||
+ The runtime status of the <code>net.ipv4.conf.all.rp_filter</code> parameter can be queried
|
||||
+ by running the following command:
|
||||
+ <pre>$ sysctl net.ipv4.conf.all.rp_filter</pre>
|
||||
+ The output of the command should indicate either:
|
||||
+ <code>net.ipv4.conf.all.rp_filter = 1</code>
|
||||
+ or:
|
||||
+ <code>net.ipv4.conf.all.rp_filter = 2</code>
|
||||
+ The output of the command should not indicate:
|
||||
+ <code>net.ipv4.conf.all.rp_filter = 0</code>
|
||||
+
|
||||
+ The preferable way how to assure the runtime compliance is to have
|
||||
+ correct persistent configuration, and rebooting the system.
|
||||
+
|
||||
+ The persistent sysctl parameter configuration is performed by specifying the appropriate
|
||||
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
|
||||
+ Verify that there is not any existing incorrect configuration by executing the following command:
|
||||
+ <pre>$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
|
||||
+ The command should not find any assignments other than:
|
||||
+ net.ipv4.conf.all.rp_filter = 1
|
||||
+ or:
|
||||
+ net.ipv4.conf.all.rp_filter = 2
|
||||
+
|
||||
+ Conflicting assignments are not allowed.
|
||||
+
|
||||
+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0"
|
||||
|
||||
fixtext: |-
|
||||
Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces.
|
||||
- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}}
|
||||
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}}
|
||||
|
||||
srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
index f53e035effa..367934b5672 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
@@ -34,6 +34,33 @@ references:
|
||||
|
||||
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
|
||||
|
||||
+ocil: |-
|
||||
+ The runtime status of the <code>kernel.kptr_restrict</code> kernel parameter can be queried
|
||||
+ by running the following command:
|
||||
+ <pre>$ sysctl kernel.kptr_restrict</pre>
|
||||
+ The output of the command should indicate either:
|
||||
+ <code>kernel.kptr_restrict = 1</code>
|
||||
+ or:
|
||||
+ <code>kernel.kptr_restrict = 2</code>
|
||||
+ The output of the command should not indicate:
|
||||
+ <code>kernel.kptr_restrict = 0</code>
|
||||
+
|
||||
+ The preferable way how to assure the runtime compliance is to have
|
||||
+ correct persistent configuration, and rebooting the system.
|
||||
+
|
||||
+ The persistent kernel parameter configuration is performed by specifying the appropriate
|
||||
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
|
||||
+ Verify that there is not any existing incorrect configuration by executing the following command:
|
||||
+ <pre>$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
|
||||
+ The command should not find any assignments other than:
|
||||
+ kernel.kptr_restrict = 1
|
||||
+ or:
|
||||
+ kernel.kptr_restrict = 2
|
||||
+
|
||||
+ Conflicting assignments are not allowed.
|
||||
+
|
||||
+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0"
|
||||
+
|
||||
srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'
|
||||
|
||||
platform: machine
|
||||
@@ -52,4 +79,4 @@ template:
|
||||
|
||||
fixtext: |-
|
||||
Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access.
|
||||
- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}}
|
||||
+ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}}
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,92 @@
|
||||
From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 8 Aug 2022 14:34:34 +0200
|
||||
Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about
|
||||
configuring queues
|
||||
|
||||
---
|
||||
.../rsyslog_remote_loghost/rule.yml | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
index 4ce56d2e6a5..c73d9ec95a6 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
@@ -90,3 +90,20 @@ fixtext: |-
|
||||
*.* @@[remoteloggingserver]:[port]"
|
||||
|
||||
srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.'
|
||||
+
|
||||
+warnings:
|
||||
+ - functionality: |-
|
||||
+ It is important to configure queues in case the client is sending log
|
||||
+ messages to a remote server. If queues are not configured, there is a
|
||||
+ danger that the system will stop functioning in case that the connection
|
||||
+ to the remote server is not available. Please consult Rsyslog
|
||||
+ documentation for more information about configuration of queues. The
|
||||
+ example configuration which should go into <tt>/etc/rsyslog.conf</tt>
|
||||
+ can look like the following lines:
|
||||
+ <pre>
|
||||
+ $ActionQueueType LinkedList
|
||||
+ $ActionQueueFileName somenameforprefix
|
||||
+ $ActionQueueMaxDiskSpace 1g
|
||||
+ $ActionQueueSaveOnShutdown on
|
||||
+ $ActionResumeRetryCount -1
|
||||
+ </pre>
|
||||
|
||||
From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Tue, 9 Aug 2022 09:41:00 +0200
|
||||
Subject: [PATCH 2/3] Apply suggestions from code review
|
||||
|
||||
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
|
||||
---
|
||||
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
index c73d9ec95a6..706d3265a08 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
@@ -95,14 +95,14 @@ warnings:
|
||||
- functionality: |-
|
||||
It is important to configure queues in case the client is sending log
|
||||
messages to a remote server. If queues are not configured, there is a
|
||||
- danger that the system will stop functioning in case that the connection
|
||||
+ the system will stop functioning when the connection
|
||||
to the remote server is not available. Please consult Rsyslog
|
||||
documentation for more information about configuration of queues. The
|
||||
example configuration which should go into <tt>/etc/rsyslog.conf</tt>
|
||||
can look like the following lines:
|
||||
<pre>
|
||||
$ActionQueueType LinkedList
|
||||
- $ActionQueueFileName somenameforprefix
|
||||
+ $ActionQueueFileName queuefilename
|
||||
$ActionQueueMaxDiskSpace 1g
|
||||
$ActionQueueSaveOnShutdown on
|
||||
$ActionResumeRetryCount -1
|
||||
|
||||
From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Tue, 9 Aug 2022 10:55:04 +0200
|
||||
Subject: [PATCH 3/3] Update
|
||||
linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
|
||||
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
|
||||
---
|
||||
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
index 706d3265a08..cce4d5cac1d 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
|
||||
warnings:
|
||||
- functionality: |-
|
||||
It is important to configure queues in case the client is sending log
|
||||
- messages to a remote server. If queues are not configured, there is a
|
||||
+ messages to a remote server. If queues are not configured,
|
||||
the system will stop functioning when the connection
|
||||
to the remote server is not available. Please consult Rsyslog
|
||||
documentation for more information about configuration of queues. The
|
@ -2,11 +2,11 @@
|
||||
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
|
||||
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||
%global _vpath_builddir build
|
||||
%global _default_patch_fuzz 2
|
||||
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.60
|
||||
Release: 7%{?dist}
|
||||
Version: 0.1.63
|
||||
Release: 4%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
Group: Applications/System
|
||||
@ -19,52 +19,22 @@ BuildArch: noarch
|
||||
|
||||
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
Patch1: scap-security-guide-0.1.61-file_groupowner-PR_7791.patch
|
||||
Patch2: scap-security-guide-0.1.61-file_owner-PR_7789.patch
|
||||
Patch3: scap-security-guide-0.1.61-file_permissions-PR_7788.patch
|
||||
Patch4: scap-security-guide-0.1.61-update_RHEL_08_010287-PR_8051.patch
|
||||
Patch5: scap-security-guide-0.1.61-add_RHEL_08_010331-PR_8055.patch
|
||||
Patch6: scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch
|
||||
Patch7: scap-security-guide-0.1.61-RC_277_245-PR_8069.patch
|
||||
Patch8: scap-security-guide-0.1.61-RC_248_249-PR_8071.patch
|
||||
Patch9: scap-security-guide-0.1.61-RC_251-PR_8072.patch
|
||||
Patch10: scap-security-guide-0.1.61-RC_246_250-PR_8070.patch
|
||||
Patch11: scap-security-guide-0.1.61-RC_247-PR_8114.patch
|
||||
Patch12: scap-security-guide-0.1.61-RC_254-PR_8113.patch
|
||||
Patch13: scap-security-guide-0.1.61-RC_253-PR_8111.patch
|
||||
Patch14: scap-security-guide-0.1.61-RC_255-PR_8112.patch
|
||||
Patch15: scap-security-guide-0.1.61-add_RHEL_08_010359-PR_8131.patch
|
||||
Patch16: scap-security-guide-0.1.61-RC_244-PR_8133.patch
|
||||
Patch17: scap-security-guide-0.1.61-update_RHEL_STIG-PR_8130.patch
|
||||
Patch18: scap-security-guide-0.1.61-update_RHEL_08_STIG-PR_8139.patch
|
||||
Patch19: scap-security-guide-0.1.61-remove_RHEL_08_010560-PR_8145.patch
|
||||
Patch20: scap-security-guide-0.1.61-add_RHEL_08_040321-PR_8169.patch
|
||||
Patch21: scap-security-guide-0.1.61-add_RHEL_08_020221-PR_8173.patch
|
||||
Patch22: scap-security-guide-0.1.61-update_RHEL_08_040320-PR_8170.patch
|
||||
Patch23: scap-security-guide-0.1.61-rhel8_stig_audit_rules-PR_8174.patch
|
||||
Patch24: scap-security-guide-0.1.61-update_RHEL_08_010030-PR_8183.patch
|
||||
Patch25: scap-security-guide-0.1.61-selinux_state_rhel8_anssi_enhanced-PR_8182.patch
|
||||
Patch26: scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch
|
||||
Patch27: scap-security-guide-0.1.61-update_RHEL_08_010383-PR_8138.patch
|
||||
Patch28: scap-security-guide-0.1.61-remove_client_alive_max-PR_8197.patch
|
||||
Patch29: scap-security-guide-0.1.61-pwquality-PR_8185.patch
|
||||
Patch30: scap-security-guide-0.1.61-update_RHEL_08_020041-PR_8146.patch
|
||||
Patch31: scap-security-guide-0.1.61-rhel86_ospp_fix_audit_ospp_general-PR_8152.patch
|
||||
Patch32: scap-security-guide-0.1.61-chrony_maxpoll-PR_8187.patch
|
||||
Patch33: scap-security-guide-0.1.61-add_missing_srgs-PR_8218.patch
|
||||
Patch34: scap-security-guide-0.1.61-sudoers_timestamp_timeout-PR_8220.patch
|
||||
Patch35: scap-security-guide-0.1.61-rhel9_ospp_remove_kernel_rules-PR_8092.patch
|
||||
Patch36: scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
|
||||
Patch37: scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
|
||||
Patch38: scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
|
||||
Patch39: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
|
||||
Patch40: scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch
|
||||
Patch41: scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch
|
||||
Patch42: scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch
|
||||
Patch43: scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.patch
|
||||
Patch44: scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch
|
||||
Patch45: scap-security-guide-0.1.61-delta_tailoring_fix-PR_8262.patch
|
||||
Patch46: scap-security-guide-0.1.61-resize-anssi-kickstart-partitions-PR_8261.patch
|
||||
Patch1: scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
|
||||
Patch2: scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
|
||||
Patch3: scap-security-guide-0.1.64-stig_aide-PR_9282.patch
|
||||
Patch4: scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
|
||||
Patch5: scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
|
||||
Patch6: scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
|
||||
Patch7: scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
|
||||
Patch8: scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
|
||||
Patch9: scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
|
||||
Patch10: scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
|
||||
Patch11: scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
|
||||
Patch12: scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
|
||||
Patch13: scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
|
||||
Patch14: scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
|
||||
Patch15: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
|
||||
Patch16: scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
@ -169,6 +139,35 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
|
||||
- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
|
||||
|
||||
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
|
||||
- Fix Ansible partition conditional (RHBZ#2032403)
|
||||
|
||||
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
|
||||
- aligning with the latest STIG update (RHBZ#2112937)
|
||||
- OSPP: use Authselect minimal profile (RHBZ#2117192)
|
||||
- OSPP: change rules for protecting of boot (RHBZ#2116440)
|
||||
- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
|
||||
- fix handling of Defaults clause in sudoers (RHBZ#2083109)
|
||||
- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
|
||||
- fix handling of Rsyslog include directives (RHBZ#2075384)
|
||||
|
||||
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
|
||||
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
|
||||
|
||||
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
|
||||
- Rebase to a new upstream release (RHBZ#2070564)
|
||||
|
||||
* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
|
||||
- Fix validation of OVAL 5.10 content (RHBZ#2079241)
|
||||
- Fix Ansible sysctl remediation (RHBZ#2079241)
|
||||
|
||||
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
|
||||
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
|
||||
- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
|
||||
|
||||
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
|
||||
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user