rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import scap-security-guide-0.1.54-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-03-30 14:09:32 -04:00 committed by Stepan Oksanichenko
parent 82da654d43
commit 9aab723dde
44 changed files with 25445 additions and 2648 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/scap-security-guide-0.1.50.tar.bz2 SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
SOURCES/scap-security-guide-0.1.54.tar.bz2

3
.scap-security-guide.metadata
View File

@ -1 +1,2 @@
1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2 b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
9c53524d1f6741913b19394fad9216f25f3ae05d SOURCES/scap-security-guide-0.1.54.tar.bz2

57
SOURCES/disable-not-in-good-shape-profiles.patch
View File

@ -1,25 +1,24 @@
From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001 From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com> From: Watson Sato <wsato@redhat.com>
Date: Fri, 17 Jan 2020 19:01:22 +0100 Date: Thu, 3 Dec 2020 14:35:47 +0100
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8 Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
They raise too many errors and fails.
Also disable tables for profiles that are not built.
--- ---
rhel8/CMakeLists.txt | 2 -- rhel8/CMakeLists.txt | 6 ------
rhel8/profiles/anssi_bp28_high.profile | 2 +-
rhel8/profiles/cjis.profile | 2 +- rhel8/profiles/cjis.profile | 2 +-
rhel8/profiles/cui.profile | 2 +- rhel8/profiles/ism_o.profile | 2 +-
rhel8/profiles/rhelh-stig.profile | 2 +- rhel8/profiles/rhelh-stig.profile | 2 +-
rhel8/profiles/rhelh-vpp.profile | 2 +- rhel8/profiles/rhelh-vpp.profile | 2 +-
rhel8/profiles/rht-ccp.profile | 2 +- rhel8/profiles/rht-ccp.profile | 2 +-
rhel8/profiles/standard.profile | 2 +- rhel8/profiles/standard.profile | 2 +-
9 files changed, 8 insertions(+), 10 deletions(-) 11 files changed, 10 insertions(+), 16 deletions(-)
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
index 40f2b2b0f..492a8dae1 100644 index d61689c97..5e444a101 100644
--- a/rhel8/CMakeLists.txt --- a/rhel8/CMakeLists.txt
+++ b/rhel8/CMakeLists.txt +++ b/rhel8/CMakeLists.txt
@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") @@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
ssg_build_html_table_by_ref(${PRODUCT} "pcidss") ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
ssg_build_html_table_by_ref(${PRODUCT} "anssi") ssg_build_html_table_by_ref(${PRODUCT} "anssi")
@ -27,28 +26,44 @@ index 40f2b2b0f..492a8dae1 100644
ssg_build_html_nistrefs_table(${PRODUCT} "ospp") ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
ssg_build_html_nistrefs_table(${PRODUCT} "stig") ssg_build_html_nistrefs_table(${PRODUCT} "stig")
# Uncomment when anssi profiles are marked documentation_complete: true -ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
#ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal") -ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
-
ssg_build_html_cce_table(${PRODUCT})
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index ccad93d67..6a854378c 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'ANSSI BP-028 (high)'
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
index 05ea9cdd6..9c55ac5b1 100644 index 035d2705b..c6475f33e 100644
--- a/rhel8/profiles/cjis.profile --- a/rhel8/profiles/cjis.profile
+++ b/rhel8/profiles/cjis.profile +++ b/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
-documentation_complete: true -documentation_complete: true
+documentation_complete: false +documentation_complete: false
title: 'Criminal Justice Information Services (CJIS) Security Policy' metadata:
version: 5.4
diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile
index eb62252a4..e8f369708 100644 index a3c427c01..4605dea3b 100644
--- a/rhel8/profiles/cui.profile --- a/rhel8/profiles/ism_o.profile
+++ b/rhel8/profiles/cui.profile +++ b/rhel8/profiles/ism_o.profile
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
-documentation_complete: true -documentation_complete: true
+documentation_complete: false +documentation_complete: false
title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' metadata:
SMEs:
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
index 1efca5f44..c3d0b0964 100644 index 1efca5f44..c3d0b0964 100644
--- a/rhel8/profiles/rhelh-stig.profile --- a/rhel8/profiles/rhelh-stig.profile
@ -90,5 +105,5 @@ index a63ae2cf3..da669bb84 100644
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
-- --
2.21.1 2.26.2

187
SOURCES/remove-ANSSI-high-ks.patch Normal file
View File

@ -0,0 +1,187 @@
From 8e43a6a6432a8cbeb5742771ddbd0856669a7878 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 17 Feb 2021 15:36:59 +0100
Subject: [PATCH] Remove kickstart for profile not shipped
RHEL-8 ANSSI high is not shipped at the momment
---
.../ssg-rhel8-anssi_bp28_high-ks.cfg | 167 ------------------
1 file changed, 167 deletions(-)
delete mode 100644 rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
deleted file mode 100644
index b5c09253a..000000000
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ /dev/null
@@ -1,167 +0,0 @@
-# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8
-# Version: 0.0.1
-# Date: 2020-12-10
-#
-# Based on:
-# https://pykickstart.readthedocs.io/en/latest/
-# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-
-# Specify installation method to use for installation
-# To use a different one comment out the 'url' one below, update
-# the selected choice with proper options & un-comment it
-#
-# Install from an installation tree on a remote server via FTP or HTTP:
-# --url the URL to install from
-#
-# Example:
-#
-# url --url=http://192.168.122.1/image
-#
-# Modify concrete URL in the above example appropriately to reflect the actual
-# environment machine is to be installed in
-#
-# Other possible / supported installation methods:
-# * install from the first CD-ROM/DVD drive on the system:
-#
-# cdrom
-#
-# * install from a directory of ISO images on a local drive:
-#
-# harddrive --partition=hdb2 --dir=/tmp/install-tree
-#
-# * install from provided NFS server:
-#
-# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
-#
-# Set language to use during installation and the default language to use on the installed system (required)
-lang en_US.UTF-8
-
-# Set system keyboard type / layout (required)
-keyboard us
-
-# Configure network information for target system and activate network devices in the installer environment (optional)
-# --onboot enable device at a boot time
-# --device device to be activated and / or configured with the network command
-# --bootproto method to obtain networking configuration for device (default dhcp)
-# --noipv6 disable IPv6 on this device
-#
-# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
-# "--bootproto=static" must be used. For example:
-# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
-#
-network --onboot yes --bootproto dhcp --noipv6
-
-# Set the system's root password (required)
-# Plaintext password is: server
-# Refer to e.g.
-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-# to see how to create encrypted password form for different plaintext password
-rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-
-# The selected profile will restrict root login
-# Add a user that can login and escalate privileges
-# Plaintext password is: admin123
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-
-# Configure firewall settings for the system (optional)
-# --enabled reject incoming connections that are not in response to outbound requests
-# --ssh allow sshd service through the firewall
-firewall --enabled --ssh
-
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
-# Set the system time zone (required)
-timezone --utc America/New_York
-
-# Specify how the bootloader should be installed (required)
-# Plaintext password is: password
-# Refer to e.g.
-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-# to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
-
-# Initialize (format) all disks (optional)
-zerombr
-
-# The following partition layout scheme assumes disk of size 20GB or larger
-# Modify size of partitions appropriately to reflect actual machine's hardware
-#
-# Remove Linux partitions from the system prior to creating new ones (optional)
-# --linux erase all Linux partitions
-# --initlabel initialize the disk label to the default based on the underlying architecture
-clearpart --linux --initlabel
-
-# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
-part pv.01 --grow --size=1
-
-# Create a Logical Volume Management (LVM) group (optional)
-volgroup VolGroup --pesize=4096 pv.01
-
-# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
-# Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
-# Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-# Ensure /tmp Located On Separate Partition
-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var/tmp Located On Separate Partition
-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-# Ensure /var/log Located On Separate Partition
-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var/log/audit Located On Separate Partition
-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
-logvol swap --name=swap --vgname=VolGroup --size=2016
-
-# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-# content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
-# functionality will automatically be installed. However, by default, no policies are enforced,
-# meaning that no checks are performed during or after installation unless specifically configured.
-#
-# Important
-# Applying a security policy is not necessary on all systems. This screen should only be used
-# when a specific policy is mandated by your organization rules or government regulations.
-# Unlike most other commands, this add-on does not accept regular options, but uses key-value
-# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-# Values can be optionally enclosed in single quotes (') or double quotes (").
-#
-# The following keys are recognized by the add-on:
-# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
-# - If the content-type is scap-security-guide, the add-on will use content provided by the
-# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
-# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
-# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
-# xccdf-id - ID of the benchmark you want to use.
-# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
-# profile - ID of the profile to be applied. Use default to apply the default profile.
-# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
-# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
-#
-# The following is an example %addon org_fedora_oscap section which uses content from the
-# scap-security-guide on the installation media:
-%addon org_fedora_oscap
- content-type = scap-security-guide
- profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high
-%end
-
-# Packages selection (%packages section is required)
-%packages
-
-# Require @Base
-@Base
-
-%end # End of %packages section
-
-# Reboot after the installation is complete (optional)
-# --eject attempt to eject CD or DVD media before rebooting
-reboot --eject
--
2.26.2

71
SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
View File

@ -1,71 +0,0 @@
From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 08:17:20 +0200
Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated
---
.../ansible/shared.yml | 33 +++++++++++++++++++
1 file changed, 33 insertions(+)
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
new file mode 100644
index 0000000000..5d76b3c073
--- /dev/null
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
@@ -0,0 +1,33 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: Configure daily log rotation in /etc/logrotate.conf
+ lineinfile:
+ create: yes
+ dest: "/etc/logrotate.conf"
+ regexp: "^daily$"
+ line: "daily"
+
+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf
+ lineinfile:
+ create: no
+ dest: "/etc/logrotate.conf"
+ regexp: "^(weekly|monthly|yearly)$"
+ state: absent
+
+- name: Configure cron.daily if not already
+ block:
+ - name: Add shebang
+ lineinfile:
+ path: "/etc/cron.daily/logrotate"
+ line: "#!/bin/sh"
+ insertbefore: BOF
+ create: yes
+ - name: Add logrotate call
+ lineinfile:
+ path: "/etc/cron.daily/logrotate"
+ line: '/usr/sbin/logrotate /etc/logrotate.conf'
+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 14:48:15 +0200
Subject: [PATCH 2/2] Add test for ensure_logrotate_activated
Test scenario when monthly is there, but weekly is not.
---
.../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
new file mode 100644
index 0000000000..b10362989b
--- /dev/null
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed -i "s/weekly/daily/g" /etc/logrotate.conf
+echo "monthly" >> /etc/logrotate.conf

115
SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
View File

@ -1,115 +0,0 @@
From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 13 May 2020 20:49:08 +0200
Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions
---
.../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++
2 files changed, 22 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..a816eea390
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
@@ -0,0 +1,11 @@
+# profiles = xccdf_org.ssgproject.content_profile_cis
+# platform = Red Hat Enterprise Linux 8
+
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
+ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
+ else
+ echo "MaxSessions 4" >> $SSHD_CONFIG
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..b36125f5bb
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
@@ -0,0 +1,11 @@
+# profiles = xccdf_org.ssgproject.content_profile_cis
+# platform = Red Hat Enterprise Linux 8
+
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
+ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
+ else
+ echo "MaxSessions 10" >> $SSHD_CONFIG
+fi
From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 13 May 2020 20:53:50 +0200
Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions
---
.../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++
.../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++
.../tests/correct_value.pass.sh | 2 +-
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +-
4 files changed, 22 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
new file mode 100644
index 0000000000..a7e171dfe9
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+- (xccdf-var var_sshd_max_sessions)
+
+{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
new file mode 100644
index 0000000000..fc0a1d8b42
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+populate var_sshd_max_sessions
+
+{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
index a816eea390..4cc6d65988 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
if grep -q "^MaxSessions" $SSHD_CONFIG; then
sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
else
- echo "MaxSessions 4" >> $SSHD_CONFIG
+ echo "MaxSessions 4" >> $SSHD_CONFIG
fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
index b36125f5bb..bc0c47842a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
if grep -q "^MaxSessions" $SSHD_CONFIG; then
sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
else
- echo "MaxSessions 10" >> $SSHD_CONFIG
+ echo "MaxSessions 10" >> $SSHD_CONFIG
fi

147
SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
View File

@ -1,147 +0,0 @@
From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 11:52:35 +0200
Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line
Very likey a copy-pasta error from bash remediation for
audit_rules_immutable
---
.../audit_rules_system_shutdown/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
index 1c9748ce9b..b56513cdcd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
@@ -8,7 +8,7 @@
# files to check if '-f .*' setting is present in that '*.rules' file already.
# If found, delete such occurrence since auditctl(8) manual page instructs the
# '-f 2' rule should be placed as the last rule in the configuration
-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
# Append '-f 2' requirement at the end of both:
# * /etc/audit/audit.rules file (for auditctl case)
From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 12:12:21 +0200
Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown
Along with very basic test scenarios
---
.../ansible/shared.yml | 28 +++++++++++++++++++
.../tests/augen_correct.pass.sh | 4 +++
.../tests/augen_e_2_immutable.fail.sh | 3 ++
3 files changed, 35 insertions(+)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
new file mode 100644
index 0000000000..b9e8fa87fa
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
@@ -0,0 +1,28 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Collect all files from /etc/audit/rules.d with .rules extension
+ find:
+ paths: "/etc/audit/rules.d/"
+ patterns: "*.rules"
+ register: find_rules_d
+
+- name: Remove the -f option from all Audit config files
+ lineinfile:
+ path: "{{ item }}"
+ regexp: '^\s*(?:-f)\s+.*$'
+ state: absent
+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
+
+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+ lineinfile:
+ path: "{{ item }}"
+ create: True
+ line: "-f 2"
+ loop:
+ - "/etc/audit/audit.rules"
+ - "/etc/audit/rules.d/immutable.rules"
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
new file mode 100644
index 0000000000..0587b937e0
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
+echo "-f 2" >> /etc/audit/rules.d/immutable.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
new file mode 100644
index 0000000000..fa5b7231df
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 14:06:08 +0200
Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name
---
.../audit_rules_immutable/ansible/shared.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
index 5ac7b3dabb..1cafb744cc 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
@@ -17,7 +17,7 @@
state: absent
loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
lineinfile:
path: "{{ item }}"
create: True
From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 19 May 2020 11:02:56 +0200
Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix
---
.../audit_rules_system_shutdown/bash/shared.sh | 8 --------
1 file changed, 8 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
index b56513cdcd..a349bb1ca1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
@@ -4,16 +4,8 @@
#
# /etc/audit/audit.rules, (for auditctl case)
# /etc/audit/rules.d/*.rules (for augenrules case)
-#
-# files to check if '-f .*' setting is present in that '*.rules' file already.
-# If found, delete such occurrence since auditctl(8) manual page instructs the
-# '-f 2' rule should be placed as the last rule in the configuration
find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
-# Append '-f 2' requirement at the end of both:
-# * /etc/audit/audit.rules file (for auditctl case)
-# * /etc/audit/rules.d/immutable.rules (for augenrules case)
-
for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
do
echo '' >> $AUDIT_FILE

49
SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
View File

@ -1,49 +0,0 @@
From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 21 May 2020 18:16:43 +0200
Subject: [PATCH] Attribute content to CIS
And update the description a bit.
---
rhel7/profiles/cis.profile | 8 +++++---
rhel8/profiles/cis.profile | 8 +++++---
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 0826a49547..829c388133 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -3,9 +3,11 @@ documentation_complete: true
title: 'CIS Red Hat Enterprise Linux 7 Benchmark'
description: |-
- This baseline aligns to the Center for Internet Security
- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released
- 12-27-2017.
+ This profile defines a baseline that aligns to the Center for Internet Security®
+ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 7 CIS Benchmarks™ content.
selections:
# Necessary for dconf rules
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
index f332ee5462..868b9f21a6 100644
--- a/rhel8/profiles/cis.profile
+++ b/rhel8/profiles/cis.profile
@@ -3,9 +3,11 @@ documentation_complete: true
title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
description: |-
- This baseline aligns to the Center for Internet Security
- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released
- 09-30-2019.
+ This profile defines a baseline that aligns to the Center for Internet Security®
+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
selections:
# Necessary for dconf rules

274
SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
View File

@ -1,274 +0,0 @@
From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 25 May 2020 12:17:48 +0200
Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8
---
rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
2 files changed, 250 insertions(+)
create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
new file mode 100644
index 0000000000..14c82c4231
--- /dev/null
+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server
+# Version: 0.0.1
+# Date: 2020-05-25
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+# "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow enable shadowed passwords by default
+# --passalgo hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with HIPAA profile
+# For more details and configuration options see command %addon org_fedora_oscap in
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_hipaa
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
new file mode 100644
index 0000000000..861db36f18
--- /dev/null
+++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2020-05-25
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+# "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with HIPAA profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_hipaa
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject

76
SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
View File

@ -1,76 +0,0 @@
From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 22 May 2020 14:12:18 +0200
Subject: [PATCH] Add missing CCEs for RHEL8
---
.../password_storage/no_netrc_files/rule.yml | 1 +
.../accounts_user_interactive_home_directory_exists/rule.yml | 1 +
.../file_groupownership_home_directories/rule.yml | 1 +
shared/references/cce-redhat-avail.txt | 3 ---
4 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
index 8547893201..1bd1f5742e 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel6: 27225-2
cce@rhel7: 80211-6
+ cce@rhel8: 83444-0
cce@ocp4: 82667-7
references:
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
index bedf3a0b19..e69bc9d736 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: 80529-1
+ cce@rhel8: 83424-2
references:
stigid@ol7: "020620"
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
index 1c5ac8d099..f931f6d160 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: 80532-5
+ cce@rhel8: 83434-1
references:
stigid@ol7: "020650"
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 2f0d2a526b..45d03a2c1d 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -95,7 +95,6 @@ CCE-83411-9
CCE-83421-8
CCE-83422-6
CCE-83423-4
-CCE-83424-2
CCE-83425-9
CCE-83426-7
CCE-83427-5
@@ -105,7 +104,6 @@ CCE-83430-9
CCE-83431-7
CCE-83432-5
CCE-83433-3
-CCE-83434-1
CCE-83435-8
CCE-83436-6
CCE-83437-4
@@ -115,7 +113,6 @@ CCE-83440-8
CCE-83441-6
CCE-83442-4
CCE-83443-2
-CCE-83444-0
CCE-83445-7
CCE-83446-5
CCE-83447-3

103
SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
View File

@ -1,103 +0,0 @@
From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 13:30:24 +0200
Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
---
.../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
index e9a29a24d5..6fbb7c72a5 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
@@ -3,13 +3,9 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: Test for existence of /etc/securetty
- stat:
- path: /etc/securetty
- register: securetty_empty
+
- name: "Direct root Logins Not Allowed"
copy:
dest: /etc/securetty
content: ""
- when: securetty_empty.stat.size > 1
From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 14:21:38 +0200
Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
---
shared/templates/template_ANSIBLE_sebool | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
index 29f37081be..38d7c7c350 100644
--- a/shared/templates/template_ANSIBLE_sebool
+++ b/shared/templates/template_ANSIBLE_sebool
@@ -13,11 +13,17 @@
{{% else %}}
- (xccdf-var var_{{{ SEBOOLID }}})
+{{% if product == "rhel8" %}}
+- name: Ensure python3-libsemanage installed
+ package:
+ name: python3-libsemanage
+ state: present
+{{% else %}}
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
-
+{{% endif %}}
- name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
seboolean:
name: {{{ SEBOOLID }}}
From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 14:57:05 +0200
Subject: [PATCH 3/3] add tests for no_direct_root_logins
---
.../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++
.../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++
.../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++
3 files changed, 9 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
new file mode 100644
index 0000000000..17251f6a98
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo > /etc/securetty
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
new file mode 100644
index 0000000000..c764814b26
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /etc/securetty
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
new file mode 100644
index 0000000000..43ac341e87
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "something" > /etc/securetty

308
SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
View File

@ -1,308 +0,0 @@
From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 26 May 2020 17:49:21 +0200
Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation.
Affected rules:
- selinux_policytype
- selinux_state
---
.../selinux/selinux_policytype/ansible/shared.yml | 9 ++-------
.../selinux/selinux_policytype/bash/shared.sh | 5 +++--
.../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++
.../selinux/selinux_state/ansible/shared.yml | 9 ++-------
.../system/selinux/selinux_state/bash/shared.sh | 5 +++--
.../selinux_state/tests/selinux_missing.fail.sh | 5 +++++
.../tests/selinux_permissive.fail.sh | 10 ++++++++++
shared/macros-ansible.jinja | 11 +++++++++++
shared/macros-bash.jinja | 15 +++++++++++++++
9 files changed, 61 insertions(+), 18 deletions(-)
create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
index 5c70cc9f7f..9f8cf66dfb 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
@@ -3,11 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
- (xccdf-var var_selinux_policy_name)
-- name: "{{{ rule_title }}}"
- lineinfile:
- path: /etc/sysconfig/selinux
- regexp: '^SELINUXTYPE='
- line: "SELINUXTYPE={{ var_selinux_policy_name }}"
- create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}}
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
index d0fbbf4446..2b5ce31b12 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
@@ -1,7 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-#
+
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
+
populate var_selinux_policy_name
-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
new file mode 100644
index 0000000000..1a6eb94953
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
+ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
+else
+ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
+fi
diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
index b465ac6729..1c1560a86c 100644
--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
@@ -3,11 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
- (xccdf-var var_selinux_state)
-- name: "{{{ rule_title }}}"
- lineinfile:
- path: /etc/sysconfig/selinux
- regexp: '^SELINUX='
- line: "SELINUX={{ var_selinux_state }}"
- create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}}
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
index 58193b5504..a402a861d7 100644
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
@@ -1,10 +1,11 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
-#
+
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
+
populate var_selinux_state
-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
fixfiles onboot
fixfiles -f relabel
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
new file mode 100644
index 0000000000..180dd80791
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
new file mode 100644
index 0000000000..3db1e56b5f
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then
+ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE
+else
+ echo 'SELINUX=permissive' >> $SELINUX_FILE
+fi
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 6798a25d1f..01d3155b37 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}"
{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
{{%- endmacro %}}
+{{#
+ High level macro to set a parameter in /etc/selinux/config.
+ Parameters:
+ - msg: the name for the Ansible task
+ - parameter: parameter to be set in the configuration file
+ - value: value of the parameter
+#}}
+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{%- endmacro %}}
+
{{#
Generates an Ansible task that puts 'contents' into a file at 'filepath'
Parameters:
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 3a94fe5dd8..2531d1c52d 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -86,6 +86,21 @@ populate {{{ name }}}
}}}
{{%- endmacro -%}}
+{{%- macro bash_selinux_config_set(parameter, value) -%}}
+{{{ set_config_file(
+ path="/etc/selinux/config",
+ parameter=parameter,
+ value=value,
+ create=true,
+ insert_after="",
+ insert_before="",
+ insensitive=true,
+ separator="=",
+ separator_regex="\s*=\s*",
+ prefix_regex="^\s*")
+ }}}
+{{%- endmacro -%}}
+
{{#
# Install a package
# Uses the right command based on pkg_manger proprerty defined in product.yaml.
From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 27 May 2020 18:48:57 +0200
Subject: [PATCH 2/2] Remediation requires reboot.
Update OVAL check to disallow spaces.
Removed selinuxtype_minimum test scenario since breaks the system.
---
.../selinux/selinux_policytype/ansible/shared.yml | 2 +-
.../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++
.../system/selinux/selinux_policytype/oval/shared.xml | 2 +-
.../tests/selinuxtype_minimum.fail.sh | 10 ----------
.../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++
.../guide/system/selinux/selinux_state/oval/shared.xml | 2 +-
shared/macros-ansible.jinja | 2 +-
shared/macros-bash.jinja | 4 ++--
8 files changed, 14 insertions(+), 16 deletions(-)
delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
index 9f8cf66dfb..73e6ec7cd4 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
@@ -1,5 +1,5 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
+# reboot = true
# strategy = restrict
# complexity = low
# disruption = low
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
index 2b5ce31b12..b4f79c97f9 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
@@ -1,4 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
index f1840a1290..3d69fff07f 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
@@ -27,7 +27,7 @@
<ind:textfilecontent54_object id="obj_selinux_policy" version="1">
<ind:filepath>/etc/selinux/config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
+ <ind:pattern operation="pattern match">^SELINUXTYPE=(.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
deleted file mode 100644
index 1a6eb94953..0000000000
--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
-
-SELINUX_FILE='/etc/selinux/config'
-
-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
-else
- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
-fi
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
index a402a861d7..645a7acab4 100644
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
@@ -1,4 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
index c0881696e1..8c328060af 100644
--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
@@ -18,7 +18,7 @@
<ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
<ind:filepath>/etc/selinux/config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 01d3155b37..580a0b948e 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}"
- value: value of the parameter
#}}
{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}}
{{%- endmacro %}}
{{#
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 2531d1c52d..8abcc914d3 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -96,8 +96,8 @@ populate {{{ name }}}
insert_before="",
insensitive=true,
separator="=",
- separator_regex="\s*=\s*",
- prefix_regex="^\s*")
+ separator_regex="=",
+ prefix_regex="^")
}}}
{{%- endmacro -%}}

40
SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
View File

@ -1,40 +0,0 @@
From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 23:36:18 +0200
Subject: [PATCH] Ansible mount_option: split mount and option task
Separate task that adds mount options mounts the mountpoint into two tasks.
Conditioning the "mount" task on the absence of the target mount option
caused the task to always be skipped when mount option was alredy present,
and could result in the mount point not being mounted.
---
shared/templates/template_ANSIBLE_mount_option | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
index 95bede25f9..a0cf8d6b7a 100644
--- a/shared/templates/template_ANSIBLE_mount_option
+++ b/shared/templates/template_ANSIBLE_mount_option
@@ -26,14 +26,19 @@
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}}
+- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options
+ set_fact:
+ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}"
+ when:
+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
+
+- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option
mount:
path: "{{{ MOUNTPOINT }}}"
src: "{{ mount_info.source }}"
- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}"
+ opts: "{{ mount_info.options }}"
state: "mounted"
fstype: "{{ mount_info.fstype }}"
when:
- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
- device_name.stdout is defined
- (device_name.stdout | length > 0)

33
SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
View File

@ -1,33 +0,0 @@
From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 14 May 2020 16:46:07 +0200
Subject: [PATCH] reorder groups because of permissions verification
---
ssg/build_yaml.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
index e3e138283c..c9f3179c08 100644
--- a/ssg/build_yaml.py
+++ b/ssg/build_yaml.py
@@ -700,6 +700,11 @@ def to_xml_element(self):
# audit_rules_privileged_commands, othervise the rule
# does not catch newly installed screeen binary during remediation
# and report fail
+ # the software group should come before the
+ # bootloader-grub2 group because of conflict between
+ # rules rpm_verify_permissions and file_permissions_grub2_cfg
+ # specific rules concerning permissions should
+ # be applied after the general rpm_verify_permissions
# The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
# the firewalld_activation must come before ruleset_modifications, othervise
# remediations for ruleset_modifications won't work
@@ -707,6 +712,7 @@ def to_xml_element(self):
# otherwise the remediation prints error although it is successful
priority_order = [
"accounts", "auditing",
+ "software", "bootloader-grub2",
"fips", "crypto",
"firewalld_activation", "ruleset_modifications",
"disabling_ipv6", "configuring_ipv6"

171
SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
View File

@ -1,171 +0,0 @@
From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 May 2020 01:20:53 +0200
Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig
All paths in /etc/rsyslog.conf were taken as log files, but paths
in lines containing "include" or "$IncludeConfig" are config files.
Let's not take them in as log files
---
.../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index a78cd69df2..c74f3da3f5 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -87,8 +87,18 @@
-->
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their permissions don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 May 2020 00:16:37 +0200
Subject: [PATCH 2/4] Fix permissions of files referenced by include()
The remediation script also needs to parse the files included via
"include()".
The awk also takes into consideration the multiline aspect.
---
.../rsyslog_files_permissions/bash/shared.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 6cbf0c6a24..dca35301e7 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
# Browse each file selected above as containing paths of log files
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 15:53:58 +0200
Subject: [PATCH 3/4] Make regex for include file more strict
For some reason gensub in awk doesn't support non capturing group.
So the group with OR is capturing and we substitute everyting with the
second group, witch matches the file path.
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index dca35301e7..99d2d0e794 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 16:55:02 +0200
Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership
These three files basically work the same way
---
.../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++
.../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++
.../rsyslog_files_permissions/oval/shared.xml | 4 ++--
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
index 5828f25321..9941e2b94f 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
@@ -86,8 +86,18 @@
-->
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_groupownership_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their groupownership don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
index 3c46eab6d6..29dd1a989e 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
@@ -83,8 +83,18 @@
-->
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_owner_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their owner don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index c74f3da3f5..da37a15b8c 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -87,10 +87,10 @@
-->
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- <filter action="exclude">state_ignore_include_paths</filter>
+ <filter action="exclude">state_permissions_ignore_include_paths</filter>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
+ <ind:textfilecontent54_state id="state_permissions_ignore_include_paths" comment="ignore" version="1">
<!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
include() or $IncludeConfig statements.
These paths are conf files, not log files. Their permissions don't need to be as

1216
SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
View File

File diff suppressed because it is too large Load Diff

11626
SOURCES/scap-security-guide-0.1.55-OL7_DISA_STIG_v2r1_update-PR_6538.patch Normal file
View File

File diff suppressed because one or more lines are too long

137
SOURCES/scap-security-guide-0.1.55-OL7_DISA_STIG_v2r2_update-PR_6607.patch Normal file
View File

@ -0,0 +1,137 @@
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index 7da2e067a6..5d01170aab 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -33,6 +33,7 @@ references:
cis@sle12: 5.2.4
cis@sle15: 5.2.6
stigid@rhel7: RHEL-07-040710
+ stigid@ol7: OL07-00-040710
srg: SRG-OS-000480-GPOS-00227
disa: CCI-000366
nist: CM-6(b)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
index 87c3cb7f5a..5683676bfc 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
@@ -23,7 +23,6 @@ identifiers:
cce@sle12: CCE-83017-4
references:
- stigid@ol7: OL07-00-040710
cui: 3.1.13
disa: CCI-000366
nist: CM-6(a),AC-17(a),AC-17(2)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
index 50c7d689af..42cb32e30e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,rhel7,rhel8,wrlinux1019,wrlinux8
+prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019,wrlinux8
title: 'Use Only FIPS 140-2 Validated Ciphers'
@@ -51,7 +51,6 @@ identifiers:
cce@rhel8: CCE-81032-5
references:
- stigid@ol7: OL07-00-040110
cis: 5.2.10
cjis: 5.5.6
cui: 3.1.13,3.13.11,3.13.8
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
index 0751064179..73de17af35 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7
+prodtype: ol7,rhel7
title: 'Use Only FIPS 140-2 Validated Ciphers'
@@ -32,6 +32,7 @@ references:
disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
stigid@rhel7: RHEL-07-040110
+ stigid@ol7: OL07-00-040110
ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
index c490756daf..13997f9418 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,rhel7,rhel8,sle12,wrlinux1019
+prodtype: ol7,ol8,rhel7,rhel8,sle12,wrlinux1019
title: 'Use Only FIPS 140-2 Validated MACs'
@@ -46,7 +46,6 @@ identifiers:
cce@sle12: CCE-83036-4
references:
- stigid@ol7: OL07-00-040400
cis: 5.2.12
cui: 3.1.13,3.13.11,3.13.8
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
index 88d2d77e14..bd597f0860 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7
+prodtype: ol7,rhel7
title: 'Use Only FIPS 140-2 Validated MACs'
@@ -25,6 +25,7 @@ references:
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
stigid@rhel7: RHEL-07-040400
+ stigid@ol7: OL07-00-040400
ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
index 7267d2443a..b0fe065d86 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
@@ -26,6 +26,7 @@ identifiers:
references:
srg: SRG-OS-000480-GPOS-00227
stig@rhel7: RHEL-07-040711
+ stig@ol7: OL07-00-040711
disa: CCI-000366
nist: CM-6(b)
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
index 820a942220..dfcbbafd17 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
@@ -36,4 +36,4 @@ ocil_clause: 'the group ownership is incorrect'
ocil: |-
To verify the assigned home directory of all interactive users is group-
owned by that users primary GID, run the following command:
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
+ <pre># ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
index 7d5778d4f6..37cb36cda3 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
@@ -30,4 +30,4 @@ ocil_clause: 'the user ownership is incorrect'
ocil: |-
To verify the home directory ownership, run the following command:
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
+ <pre># ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd)</pre>

34
SOURCES/scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch Normal file
View File

@ -0,0 +1,34 @@
From cb299dd0ce870d55cb530bc5e5ad9a9f52734bf4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 19 Jan 2021 09:42:26 +0100
Subject: [PATCH] Add metadata to ANSSI R35
Current implementation cannot diferentiate between system and
standard user umask, they are both set to the same value.
---
controls/anssi.yml | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index dec9d68c99..621996e985 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -572,10 +572,18 @@ controls:
only be read by the user and his group, and be editable only by his owner).
The umask for users must be set to 0077 (any file created by a user is
readable and editable only by him).
+ notes: >-
+ There is no simple way to check and remediate different umask values for
+ system and standard users reliably.
+ The different values are set in a conditional clause in a shell script
+ (e.g. /etc/profile or /etc/bashrc).
+ The current implementation checks and fixes both umask to the same value.
+ automated: partially
rules:
- var_accounts_user_umask=077
- accounts_umask_etc_login_defs
- accounts_umask_etc_profile
+ - accounts_umask_etc_bashrc
- id: R36
title: Rights to access sensitive content files

94
SOURCES/scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch Normal file
View File

@ -0,0 +1,94 @@
From d5673795ba2f87ae1649c84591ee13d7876af0b2 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 13 Jan 2021 14:01:03 +0100
Subject: [PATCH 1/3] add rule
---
.../sysctl_kernel_modules_disabled/rule.yml | 34 +++++++++++++++++++
1 file changed, 34 insertions(+)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
new file mode 100644
index 0000000000..1811c43815
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,rhel7,rhel8
+
+title: 'Disable loading and unloading of kernel modules'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}'
+
+rationale: |-
+ Malicious kernel modules can have a significant impact on system security and
+ availability. Disabling loading of kernel modules prevents this threat. Note
+ that once this option has been set, it cannot be reverted without doing a
+ system reboot. Make sure that all needed kernel modules are loaded before
+ setting this option.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83392-1
+ cce@rhel8: CCE-83397-0
+
+references:
+ anssi: BP28(R24)
+
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: kernel.modules_disabled
+ sysctlval: '1'
+ datatype: int
From 5e4f6a4a0b70c07488595080cfd98fdbfb02e352 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 13 Jan 2021 14:01:15 +0100
Subject: [PATCH 2/3] add rule to anssi profile
---
controls/anssi.yml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 9e2b899b6d..f435459af3 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -483,7 +483,8 @@ controls:
sysctl kernel.modules_disabledconf:
Prohibition of loading modules (except those already loaded to this point)
kernel.modules_disabled = 1
- # rules: TBD
+ rules:
+ - sysctl_kernel_modules_disabled
- id: R25
level: enhanced
From a4a91fbb7f23854e4f80819a023c1adc4e7110c5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 14 Jan 2021 09:30:01 +0100
Subject: [PATCH 3/3] remove cces from pool
---
shared/references/cce-redhat-avail.txt | 2 --
1 file changed, 2 deletions(-)
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4dbec8255c..137d975a3d 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1,5 +1,3 @@
-CCE-83392-1
-CCE-83397-0
CCE-83398-8
CCE-83399-6
CCE-83404-4

117
SOURCES/scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch Normal file
View File

@ -0,0 +1,117 @@
From 2df02e3988525eee8360db1e829655a761adb461 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 19 Oct 2020 17:25:05 +0200
Subject: [PATCH 1/2] var pam unix remember, add selector
Add selector "2" to var_password_pam_unix_remember.
---
.../accounts/accounts-pam/var_password_pam_unix_remember.var | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
index f533a36963..6e7abb3b78 100644
--- a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
@@ -18,6 +18,7 @@ options:
"0": "0"
10: 10
24: 24
+ 2: 2
4: 4
5: 5
default: 5
From 5503605d2f9e56b07686a9f1f2f3f8418e61b8cb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 19 Oct 2020 17:29:47 +0200
Subject: [PATCH 2/2] Select rules for password strenght management
Rule selection is based on ANSSI DAT-NT-001
---
controls/anssi.yml | 45 ++++++++++++++++++-
.../var_password_pam_minlen.var | 2 +
...ar_accounts_password_minlen_login_defs.var | 2 +
3 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 26bc7f4694..3ccd0f8cb3 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -281,7 +281,50 @@ controls:
- id: R18
level: minimal
title: Administrator password robustness
- # rules: TBD
+ notes: >-
+ The rules selected below establish a general password strength baseline of 100 bits,
+ inspired by DAT-NT-001 and the "Password Strenght Calculator"
+ (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).
+
+ The baseline should be reviewed and tailored to the system's use case and needs.
+ automated: partially
+ rules:
+ # Renew passwords every 90 days
+ - var_accounts_maximum_age_login_defs=90
+ - accounts_maximum_age_login_defs
+
+ # Ensure passwords with minimum of 18 characters
+ - var_password_pam_minlen=18
+ - accounts_password_pam_minlen
+ # Enforce password lenght for new accounts
+ - var_accounts_password_minlen_login_defs=18
+ - accounts_password_minlen_login_defs
+ # Require at Least 1 Special Character in Password
+ - var_password_pam_ocredit=1
+ - accounts_password_pam_ocredit
+ # Require at Least 1 Numeric Character in Password
+ - var_password_pam_dcredit=1
+ - accounts_password_pam_dcredit
+ # Require at Least 1 Uppercase Character in Password
+ - var_password_pam_ucredit=1
+ - accounts_password_pam_ucredit
+ # Require at Least 1 Lowercase Character in Password
+ - var_password_pam_lcredit=1
+ - accounts_password_pam_lcredit
+
+ # Lock out users after 3 failed authentication attempts within 15 min
+ - var_accounts_passwords_pam_faillock_fail_interval=900
+ - accounts_passwords_pam_faillock_interval
+ - var_accounts_passwords_pam_faillock_deny=3
+ - accounts_passwords_pam_faillock_deny
+ - accounts_passwords_pam_faillock_deny_root
+ # Automatically unlock users after 15 min to prevent DoS
+ - var_accounts_passwords_pam_faillock_unlock_time=900
+ - accounts_passwords_pam_faillock_unlock_time
+
+ # Do not reuse last two passwords
+ - var_password_pam_unix_remember=2
+ - accounts_password_pam_unix_remember
- id: R19
level: intermediary
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
index f506a090bb..873d907ab9 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
@@ -15,6 +15,8 @@ options:
12: 12
14: 14
15: 15
+ 18: 18
+ 20: 20
6: 6
7: 7
8: 8
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
index f41ff432ec..662c53b076 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
@@ -13,6 +13,8 @@ options:
12: 12
14: 14
15: 15
+ 18: 18
+ 20: 20
6: 6
8: 8
default: 15

47
SOURCES/scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch Normal file
View File

@ -0,0 +1,47 @@
From 76aede9cea67f4ea37eaa05ad74bf80273638de2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 28 Oct 2020 18:52:13 +0100
Subject: [PATCH] Select rules for ANSSI R37
These rules are better fit for R37 than R38.
R37 is about binaries designed to be used with setuid or setgid bits.
R38 is about reducing number of binaries with setuid root.
---
controls/anssi.yml | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 26bc7f4694..4648b98dff 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -590,8 +590,17 @@ controls:
- id: R37
level: minimal
- title: Executables with setuid and/or setgid bits
- # rules: TBD
+ title: Executables with setuid and setgid bits
+ notes: >-
+ Only programs specifically designed to be used with setuid or setgid bits can have these privilege bits set.
+ This requirement considers apropriate for setuid and setgid bits the binaries that are installed from
+ recognized and authorized repositories (covered in R15).
+ The remediation resets the sticky bit to intended value by vendor/developer, any finding after remediation
+ should be reviewed.
+ automated: yes
+ rules:
+ - file_permissions_unauthorized_suid
+ - file_permissions_unauthorized_sgid
- id: R38
level: enhanced
@@ -600,9 +609,7 @@ controls:
Setuid executables should be as small as possible. When it is expected
that only the administrators of the machine execute them, the setuid bit
must be removed and prefer them commands like su or sudo, which can be monitored
- rules:
- - file_permissions_unauthorized_suid
- - file_permissions_unauthorized_sgid
+ # rules: TBD
- id: R39
level: intermediary

37
SOURCES/scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch Normal file
View File

@ -0,0 +1,37 @@
From 4d67a36c0a07ef8e07b8760b0e883bd42c0177ec Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 21 Jan 2021 11:04:05 +0100
Subject: [PATCH] Add variable selector and notes for R29
---
controls/anssi.yml | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index dec9d68c99..3303d70295 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -521,10 +521,22 @@ controls:
description: >-
Remote user sessions (shell access, graphical clients) must be closed
after a certain period of inactivity.
+ notes: >-
+ There is no specific capability to check remote user inactivity, but some shells allow the
+ session inactivity time out to be configured via TMOUT variable.
+ In OpenSSH < 8.2 the inactivity of the user is implied from the network inactivity.
+ The server is configured to disconnect sessions if no data has been received within the idle timeout,
+ regardless of liveness status (ClientAliveCountMax is 0 and ClientAliveInterval is > 0).
+ In OpenSSH >= 8.2 there is no way to disconnect sessions based on client liveness.
+ The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to
+ "don't disconnect network inactive sessions". The server either probes for the client liveness
+ or keeps inactive sessions connected.
+ automated: yes
rules:
- accounts_tmout
+ - var_accounts_tmout=10_min
- sshd_set_idle_timeout
- - sshd_idle_timeout_value=5_minutes
+ - sshd_idle_timeout_value=10_minutes
- sshd_set_keepalive
- id: R30

106
SOURCES/scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch Normal file
View File

@ -0,0 +1,106 @@
From 389d25be2b69e4e5c828d9b0b72573e0962cabb4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 13 Jan 2021 17:07:48 +0100
Subject: [PATCH 1/4] add rule
---
.../sshd_x11_use_localhost/rule.yml | 43 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 3 --
2 files changed, 43 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
new file mode 100644
index 0000000000..67131e509c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
@@ -0,0 +1,43 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,rhel7
+
+title: 'Prevent remote hosts from connecting to the proxy display'
+
+description: |-
+ The SSH daemon should prevent remote hosts from connecting to the proxy
+ display. Make sure that the option <tt>X11UseLocalhost</tt> is set to
+ <tt>yes</tt> within the SSH server configuration file.
+
+
+rationale: |-
+ When X11 forwarding is enabled, there may be additional exposure to the
+ server and client displays if the sshd proxy display is configured to listen
+ on the wildcard address. By default, sshd binds the forwarding server to the
+ loopback address and sets the hostname part of the <tt>DISPLAY</tt>
+ environment variable to localhost. This prevents remote hosts from
+ connecting to the proxy display.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83404-4
+
+references:
+ srg: SRG-OS-000480-GPOS-00227
+ stig@rhel7: RHEL-07-040711
+ disa: CCI-000366
+ nist: CM-6(b)
+
+ocil_clause: "the display proxy is listening on wildcard address"
+
+ocil: |-
+ {{{ ocil_sshd_option(default="yes", option="X11UseLocalhost", value="yes") }}}
+
+template:
+ name: sshd_lineinfile
+ vars:
+ missing_parameter_pass: 'false'
+ parameter: X11UseLocalhost
+ rule_id: sshd_x11_use_localhost
+ value: 'yes'
From a40b9e68305afb52c2c674848b71cbcaee25fe32 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 13 Jan 2021 17:08:08 +0100
Subject: [PATCH 2/4] add rule to the stig profile
---
rhel7/profiles/stig.profile | 1 +
1 file changed, 1 insertion(+)
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 88b50d5ef4..817e0982e5 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -286,6 +286,7 @@ selections:
- package_vsftpd_removed
- package_tftp-server_removed
- sshd_enable_x11_forwarding
+ - sshd_x11_use_localhost
- tftpd_uses_secure_mode
- package_xorg-x11-server-common_removed
- xwindows_runlevel_target
From be2f96b80fbfb74708381e15a2a6e76c3952bbb5 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Fri, 15 Jan 2021 07:46:09 +0100
Subject: [PATCH 4/4] Update
linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
---
.../services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
index 67131e509c..7267d2443a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
@@ -37,7 +37,7 @@ ocil: |-
template:
name: sshd_lineinfile
vars:
- missing_parameter_pass: 'false'
+ missing_parameter_pass: 'true'
parameter: X11UseLocalhost
rule_id: sshd_x11_use_localhost
value: 'yes'

196
SOURCES/scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff Normal file
View File

@ -0,0 +1,196 @@
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 851993512..515a4a172 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -850,7 +850,8 @@ controls:
- id: R63
level: intermediary
title: Explicit arguments in sudo specifications
- # rules: TBD
+ rules:
+ - sudoers_explicit_command_args
- id: R64
level: intermediary
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
new file mode 100644
index 000000000..94a0cb421
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Check that sudoers doesn't contain commands without arguments specified") }}}
+ <criteria operator="AND">
+ <criterion comment="Make sure that no commands are without arguments" test_ref="test_{{{ rule_id }}}" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="Make sure that no command in user spec is without any argument"
+ id="test_{{{ rule_id }}}" version="1">
+ <ind:object object_ref="object_{{{ rule_id }}}" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_{{{ rule_id }}}" version="1">
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
+ <!-- The regex idea: <user list> <host list> = (<the whole command with at least an arg>,)* <command with no arg> <end of the line or next command spec we don't care about>
+ where a command is <runas spec>?<anything except ,>+,
+ - ',' is a command delimiter, while
+ The last capturing group holds the offending command without args.
+ -->
+ <ind:pattern operation="pattern match">^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
new file mode 100644
index 000000000..a0590c8b0
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
@@ -0,0 +1,46 @@
+documentation_complete: true
+
+title: "Explicit arguments in sudo specifications"
+
+description: |-
+ All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.
+ If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.
+
+rationale: |-
+ Any argument can modify quite significantly the behavior of a program, whether regarding the
+ realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To
+ avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the
+ level of its specification.
+
+ For example, on some systems, the kernel messages are only accessible by root.
+ If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted
+ in order to prevent the user from flushing the buffer through the -c option:
+ <pre>
+ user ALL = dmesg ""
+ </pre>
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83631-2
+ cce@rhel8: CCE-83632-0
+
+references:
+ anssi: BP28(R63)
+
+ocil_clause: '/etc/sudoers file contains user specifications that allow execution of commands with any arguments'
+
+ocil: |-
+ To determine if arguments that commands can be executed with are restricted, run the following command:
+ <pre>$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/</pre>
+ The command should return no output.
+
+platform: sudo
+
+warnings:
+ - general:
+ This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.
+
+ - general:
+ The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that.
+ For example, <code>root ALL=(ALL) echo 1\,2</code> allows root to execute <code>echo 1,2</code>, but the check would interpret it as two commands <code>echo 1\</code> and <code>2</code>.
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
new file mode 100644
index 000000000..b0d05b2a5
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_all
+# packages = sudo
+
+echo '#jen,!fred ALL, !SERVERS = !/bin/sh' > /etc/sudoers
+echo '# somebody ALL=/bin/ls, (!bob,alice) !/bin/cat, /bin/dog' > /etc/sudoers.d/foo
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
new file mode 100644
index 000000000..c6f885f9f
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_all
+# packages = sudo
+# remediation = none
+
+echo 'somebody ALL=/bin/ls, (!bob,alice) /bin/cat arg, /bin/dog' > /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
new file mode 100644
index 000000000..fce851f55
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_all
+# packages = sudo
+# remediation = none
+
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog, /bin/cat arg' > /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
new file mode 100644
index 000000000..baf66468d
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# remediation = none
+# packages = sudo
+
+# The val1\,val2 is the first argument of the /bin/dog command that contains a comma.
+# Our check tends to interpret the comma as commad delimiter, so the dog arg is val1\
+# and val2 is another command in the user spec.
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog val1\,val2, /bin/cat ""' > /etc/sudoers
+
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
new file mode 100644
index 000000000..9a04a205a
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_all
+# packages = sudo
+# remediation = none
+
+echo 'jen,!fred ALL,SERVERS = /bin/sh ' > /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
new file mode 100644
index 000000000..4a3a7c94b
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_all
+# packages = sudo
+
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
+echo 'nobody ALL=/bin/ls arg arg, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
new file mode 100644
index 000000000..9643a3337
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# packages = sudo
+# remediation = none
+
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
+echo 'nobody ALL=/bin/ls, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
+
+echo 'user ALL = ALL' > /etc/sudoers.d/bar
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4dbec8255..94a116b59 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -140,8 +140,6 @@ CCE-83626-2
CCE-83627-0
CCE-83628-8
CCE-83629-6
-CCE-83631-2
-CCE-83632-0
CCE-83633-8
CCE-83634-6
CCE-83635-3

213
SOURCES/scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch Normal file
View File

@ -0,0 +1,213 @@
From afa3b348ed0af551967870f48334afbabecb89ab Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Thu, 4 Feb 2021 09:43:51 +0100
Subject: [PATCH] Extend /var partition to 3GB in rhel8 kickstarts
---
rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-cis-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 4 ++--
9 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
index 52af3ef47e..4e249f61e2 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
# Ensure /usr Located On Separate Partition
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
# Ensure /opt Located On Separate Partition
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
index 702f23d4dc..a1511b157a 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
# Ensure /usr Located On Separate Partition
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
# Ensure /opt Located On Separate Partition
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
index b875692944..981d291847 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
# Ensure /usr Located On Separate Partition
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
# Ensure /opt Located On Separate Partition
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
index 4a114aebb6..7fc4945518 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
# Ensure /usr Located On Separate Partition
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
# Ensure /opt Located On Separate Partition
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
index bf3804b3fa..ee3a20bcc2 100644
--- a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
@@ -109,7 +109,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
# Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
@@ -117,7 +117,7 @@ logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptio
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
index 6e0f83ebb7..8e4b92584f 100644
--- a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
# Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
index 119e98364f..ec490c38ee 100644
--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
# Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
index 21a50f52fd..386cbcc169 100644
--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
@@ -103,13 +103,13 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
# CCE-26557-9: Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
# CCE-26435-8: Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
# CCE-26639-5: Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 --fsoptions="nodev"
# CCE-26215-4: Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
index a3e5e5fec1..28f7ff0927 100644
--- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
# Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition

426
SOURCES/scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch Normal file
View File

@ -0,0 +1,426 @@
From fad3761eff3a3857bb4201ac90642dfc37217a2a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 09:41:26 +0100
Subject: [PATCH 1/4] Remove extra configurations from ANSSI minimal ks
- No need to restrict IPv6
- Root login is not restricted
- Simplify boot command
- Simplify paritioning
- No requirement to enforce use of SELinux
---
.../ssg-rhel7-anssi_nt28_minimal-ks.cfg | 46 ++--------------
.../ssg-rhel8-anssi_bp28_minimal-ks.cfg | 53 +------------------
2 files changed, 5 insertions(+), 94 deletions(-)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
index 4160ac094c..9bc4eae44f 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
@@ -54,7 +54,7 @@ keyboard us
# "--bootproto=static" must be used. For example:
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
#
-network --onboot yes --device eth0 --bootproto dhcp --noipv6
+network --onboot yes --device eth0 --bootproto dhcp
# Set the system's root password (required)
# Plaintext password is: server
@@ -62,26 +62,12 @@ network --onboot yes --device eth0 --bootproto dhcp --noipv6
# encrypted password form for different plaintext password
rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-# The selected profile will restrict root login
-# Add a user that can login and escalate privileges
-# Plaintext password is: admin123
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-
-# Configure firewall settings for the system (optional)
-# --enabled reject incoming connections that are not in response to outbound requests
-# --ssh allow sshd service through the firewall
-firewall --enabled --ssh
-
# Set up the authentication options for the system (required)
# --enableshadow enable shadowed passwords by default
# --passalgo hash / crypt algorithm for new passwords
# See the manual page for authconfig for a complete list of possible options.
authconfig --enableshadow --passalgo=sha512
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +75,7 @@ timezone --utc America/New_York
# Plaintext password is: password
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
# encrypted password form for different plaintext password
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr
# Initialize (format) all disks (optional)
zerombr
@@ -103,33 +89,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
-part pv.01 --grow --size=1
-
-# Create a Logical Volume Management (LVM) group (optional)
-volgroup VolGroup --pesize=4096 pv.01
-
-# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
-# Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
-# Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
-# Ensure /tmp Located On Separate Partition
-logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
-# Ensure /var/tmp Located On Separate Partition
-logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
-# Ensure /var/log Located On Separate Partition
-logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
-# Ensure /var/log/audit Located On Separate Partition
-logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
-logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+autopart
# Despite the ID referencing NT-28, the profile is aligned to BP-028
%addon org_fedora_oscap
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
index 7fc4945518..1d62b55d55 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
@@ -6,9 +6,6 @@
# https://pykickstart.readthedocs.io/en/latest/
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-# Install a fresh new system (optional)
-install
-
# Specify installation method to use for installation
# To use a different one comment out the 'url' one below, update
# the selected choice with proper options & un-comment it
@@ -61,26 +58,6 @@ network --onboot yes --bootproto dhcp
# to see how to create encrypted password form for different plaintext password
rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-# The selected profile will restrict root login
-# Add a user that can login and escalate privileges
-# Plaintext password is: admin123
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-
-# Configure firewall settings for the system (optional)
-# --enabled reject incoming connections that are not in response to outbound requests
-# --ssh allow sshd service through the firewall
-firewall --enabled --ssh
-
-# Set up the authentication options for the system (required)
-# --enableshadow enable shadowed passwords by default
-# --passalgo hash / crypt algorithm for new passwords
-# See the manual page for authconfig for a complete list of possible options.
-authconfig --enableshadow --passalgo=sha512
-
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +66,7 @@ timezone --utc America/New_York
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr
# Initialize (format) all disks (optional)
zerombr
@@ -103,33 +80,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
-part pv.01 --grow --size=1
-
-# Create a Logical Volume Management (LVM) group (optional)
-volgroup VolGroup --pesize=4096 pv.01
-
-# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
-# Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
-# Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-# Ensure /tmp Located On Separate Partition
-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var/tmp Located On Separate Partition
-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-# Ensure /var/log Located On Separate Partition
-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var/log/audit Located On Separate Partition
-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
-logvol swap --name=swap --vgname=VolGroup --size=2016
+autopart
# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
# content - security policies - on the installed system.This add-on has been enabled by default
From 3884ae59b59d69c928acb1d3d52a3f68834aa709 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 09:53:20 +0100
Subject: [PATCH 2/4] Align ANSSI kickstarts with intermediary level
- Simplify boot command
- No requirement to enforce use of SELinux
---
.../ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 6 +-----
.../ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 17 ++---------------
2 files changed, 3 insertions(+), 20 deletions(-)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
index ab654410b5..20c4c59a78 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
@@ -78,10 +78,6 @@ firewall --enabled --ssh
# See the manual page for authconfig for a complete list of possible options.
authconfig --enableshadow --passalgo=sha512
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +85,7 @@ timezone --utc America/New_York
# Plaintext password is: password
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
# encrypted password form for different plaintext password
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
index 981d291847..3a241b06f4 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
@@ -6,9 +6,6 @@
# https://pykickstart.readthedocs.io/en/latest/
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-# Install a fresh new system (optional)
-install
-
# Specify installation method to use for installation
# To use a different one comment out the 'url' one below, update
# the selected choice with proper options & un-comment it
@@ -52,7 +49,7 @@ keyboard us
# "--bootproto=static" must be used. For example:
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
#
-network --onboot yes --bootproto dhcp
+network --onboot yes --bootproto dhcp --noipv6
# Set the system's root password (required)
# Plaintext password is: server
@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
# --ssh allow sshd service through the firewall
firewall --enabled --ssh
-# Set up the authentication options for the system (required)
-# --enableshadow enable shadowed passwords by default
-# --passalgo hash / crypt algorithm for new passwords
-# See the manual page for authconfig for a complete list of possible options.
-authconfig --enableshadow --passalgo=sha512
-
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +76,7 @@ timezone --utc America/New_York
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr
# Initialize (format) all disks (optional)
zerombr
From 745ec9b02bb45ca89d2705e79b36b17060508765 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 14:03:09 +0100
Subject: [PATCH 3/4] Align ANSSI kickstarts with enhanced level
- Keep restricting IPv6
- Audit enabled during boot
- No requirement to enforce use of SELinux
---
.../ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 6 +-----
.../ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 17 ++---------------
2 files changed, 3 insertions(+), 20 deletions(-)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
index 2e75873a28..1d35bedb91 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
@@ -78,10 +78,6 @@ firewall --enabled --ssh
# See the manual page for authconfig for a complete list of possible options.
authconfig --enableshadow --passalgo=sha512
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +85,7 @@ timezone --utc America/New_York
# Plaintext password is: password
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
# encrypted password form for different plaintext password
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --append="audit=1 audit_backlog_limig=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
index 4e249f61e2..728946ecb7 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -6,9 +6,6 @@
# https://pykickstart.readthedocs.io/en/latest/
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-# Install a fresh new system (optional)
-install
-
# Specify installation method to use for installation
# To use a different one comment out the 'url' one below, update
# the selected choice with proper options & un-comment it
@@ -52,7 +49,7 @@ keyboard us
# "--bootproto=static" must be used. For example:
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
#
-network --onboot yes --bootproto dhcp
+network --onboot yes --bootproto dhcp --noipv6
# Set the system's root password (required)
# Plaintext password is: server
@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
# --ssh allow sshd service through the firewall
firewall --enabled --ssh
-# Set up the authentication options for the system (required)
-# --enableshadow enable shadowed passwords by default
-# --passalgo hash / crypt algorithm for new passwords
-# See the manual page for authconfig for a complete list of possible options.
-authconfig --enableshadow --passalgo=sha512
-
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +76,7 @@ timezone --utc America/New_York
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr
From 6804cdfbdea9992daf48fe545d8005be9f37bc56 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 14:08:15 +0100
Subject: [PATCH 4/4] Align ANSSI Kickstarts with high level
---
rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +-
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 13 ++-----------
2 files changed, 3 insertions(+), 12 deletions(-)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
index 745dcbd058..73225c2fab 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
@@ -89,7 +89,7 @@ timezone --utc America/New_York
# Plaintext password is: password
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
# encrypted password form for different plaintext password
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
index a1511b157a..cd0eff2625 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -6,9 +6,6 @@
# https://pykickstart.readthedocs.io/en/latest/
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-# Install a fresh new system (optional)
-install
-
# Specify installation method to use for installation
# To use a different one comment out the 'url' one below, update
# the selected choice with proper options & un-comment it
@@ -52,7 +49,7 @@ keyboard us
# "--bootproto=static" must be used. For example:
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
#
-network --onboot yes --bootproto dhcp
+network --onboot yes --bootproto dhcp --noipv6
# Set the system's root password (required)
# Plaintext password is: server
@@ -71,12 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
# --ssh allow sshd service through the firewall
firewall --enabled --ssh
-# Set up the authentication options for the system (required)
-# --enableshadow enable shadowed passwords by default
-# --passalgo hash / crypt algorithm for new passwords
-# See the manual page for authconfig for a complete list of possible options.
-authconfig --enableshadow --passalgo=sha512
-
# State of SELinux on the installed system (optional)
# Defaults to enforcing
selinux --enforcing
@@ -89,7 +80,7 @@ timezone --utc America/New_York
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr

57
SOURCES/scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch Normal file
View File

@ -0,0 +1,57 @@
From 01b1ade0e5713bf3f11f78cc0ca7e43f74eb8a46 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 01:02:48 +0100
Subject: [PATCH 1/2] Drop remediation for sysctl_kernel_modules_disabled
Remediating this during kickstart install time renders the machine
unbootable.
---
.../restrictions/sysctl_kernel_modules_disabled/rule.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
index 1811c43815..34e8290f74 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
@@ -32,3 +32,6 @@ template:
sysctlvar: kernel.modules_disabled
sysctlval: '1'
datatype: int
+ backends:
+ # Automated remediation of this rule disrupts installs via kickstart
+ bash: 'off'
From 77eeafd1af1445a185651c77b143bce0004badda Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 09:23:17 +0100
Subject: [PATCH 2/2] Add warning why rule has no remediation
Rule sysctl_kernel_modules_disabled disrupts the install and boot
process if remediated during installation.
---
.../restrictions/sysctl_kernel_modules_disabled/rule.yml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
index 34e8290f74..438cd2759e 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
@@ -26,6 +26,11 @@ references:
platform: machine
+warnings:
+ - general:
+ This rule doesn't come with Bash remediation.
+ Remediating this rule during the installation process disrupts the install and boot process.
+
template:
name: sysctl
vars:
@@ -33,5 +38,5 @@ template:
sysctlval: '1'
datatype: int
backends:
- # Automated remediation of this rule disrupts installs via kickstart
+ # Automated remediation of this rule during installations disrupts the first boot
bash: 'off'

62
SOURCES/scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch Normal file
View File

@ -0,0 +1,62 @@
From eea787e1453b19aa949903c39189479538fbbab9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 12 Feb 2021 10:36:10 +0100
Subject: [PATCH] remove mrules disabling vfat file systems from cis profiles
---
rhcos4/profiles/moderate.profile | 1 -
rhel7/profiles/cis.profile | 3 +--
rhel8/profiles/cis.profile | 4 ++--
sle15/profiles/cis.profile | 1 -
4 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/rhcos4/profiles/moderate.profile b/rhcos4/profiles/moderate.profile
index 4e715cae9a..966e092c97 100644
--- a/rhcos4/profiles/moderate.profile
+++ b/rhcos4/profiles/moderate.profile
@@ -627,4 +627,3 @@ selections:
- kernel_module_squashfs_disabled
- kernel_module_udf_disabled
- kernel_module_usb-storage_disabled
- - kernel_module_vfat_disabled
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 22d5117546..093d2b5759 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -46,8 +46,7 @@ selections:
#### 1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored)
- kernel_module_udf_disabled
- #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored)
- - kernel_module_vfat_disabled
+ #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Manual)
### 1.1.2 Ensure separate partition exists for /tmp (Scored)
- partition_for_tmp
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
index 9ceeb74f9a..e96d2fbb9d 100644
--- a/rhel8/profiles/cis.profile
+++ b/rhel8/profiles/cis.profile
@@ -31,8 +31,8 @@ selections:
#### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
- kernel_module_cramfs_disabled
- #### 1.1.1.2 Ensure mounting of vFAT flesystems is limited (Not Scored)
- - kernel_module_vfat_disabled
+ #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
+
#### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
- kernel_module_squashfs_disabled
diff --git a/sle15/profiles/cis.profile b/sle15/profiles/cis.profile
index 9a0efedbdd..fa9ff3b775 100644
--- a/sle15/profiles/cis.profile
+++ b/sle15/profiles/cis.profile
@@ -25,7 +25,6 @@ selections:
- kernel_module_udf_disabled
#### 1.1.1.4 Ensure mounting of vFAT flesystems is limited (Not Scored)
- - kernel_module_vfat_disabled
### 1.1.2 Ensure /tmp is configured (Scored)
- partition_for_tmp

24
SOURCES/scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch Normal file
View File

@ -0,0 +1,24 @@
From 67f33ad17c234106bb3243af9f63ae478daa11ec Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 25 Jan 2021 18:28:26 +0100
Subject: [PATCH] Reassign a new unique CCE identifier to approved macs STIG
rule.
---
.../ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml | 2 +-
shared/references/cce-redhat-avail.txt | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
index dc9f7dca7c..88d2d77e14 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
@@ -19,7 +19,7 @@ rationale: |-
severity: medium
identifiers:
- cce@rhel7: CCE-83398-8
+ cce@rhel7: CCE-83636-1
references:
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123

39
SOURCES/scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch Normal file
View File

@ -0,0 +1,39 @@
From 9c6bdd92d2980aff87d1de0085250078ac131eda Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 16 Feb 2021 15:49:46 +0100
Subject: [PATCH] Remove auditd_data_retention_space_left from RHEL8 STIG
profile.
This rule is not aligned with STIG because it checks for space left in
megabytes, whereas STIG demands space left in percentage.
---
rhel8/profiles/stig.profile | 3 ++-
tests/data/profile_stability/rhel8/stig.profile | 1 -
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 0aa6f28986..dccfb548b7 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -219,7 +219,8 @@ selections:
- package_rsyslog_installed
- package_rsyslog-gnutls_installed
- rsyslog_remote_loghost
- - auditd_data_retention_space_left
+ # this rule expects configuration in MB instead percentage as how STIG demands
+ # - auditd_data_retention_space_left
- auditd_data_retention_space_left_action
# remediation fails because default configuration file contains pool instead of server keyword
- chronyd_or_ntpd_set_maxpoll
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 55b645b67b..41782dcf3d 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -63,7 +63,6 @@ selections:
- auditd_data_disk_full_action
- auditd_data_retention_action_mail_acct
- auditd_data_retention_max_log_file_action
-- auditd_data_retention_space_left
- auditd_data_retention_space_left_action
- auditd_local_events
- auditd_log_format

43
SOURCES/scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch Normal file
View File

@ -0,0 +1,43 @@
From 0f10e6fe07e068f3fac8cb9563141530f3d8b9e8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 12 Jan 2021 16:23:07 +0100
Subject: [PATCH 1/2] remove rule from rhel8 stig
---
rhel8/profiles/stig.profile | 1 -
1 file changed, 1 deletion(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 882c481066..cda0239433 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -45,7 +45,6 @@ selections:
- package_audispd-plugins_installed
- package_libcap-ng-utils_installed
- auditd_audispd_syslog_plugin_activated
- - accounts_passwords_pam_faillock_enforce_local
- accounts_password_pam_enforce_local
- accounts_password_pam_enforce_root
From b558c9030d2f16e59571e1730a3b0350d257d298 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 12 Jan 2021 16:23:25 +0100
Subject: [PATCH 2/2] modify profile stability test
---
tests/data/profile_stability/rhel8/stig.profile | 1 -
1 file changed, 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index a4ad24aec2..6676ca497c 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -41,7 +41,6 @@ selections:
- accounts_password_set_max_life_existing
- accounts_password_set_min_life_existing
- accounts_passwords_pam_faillock_deny
-- accounts_passwords_pam_faillock_enforce_local
- accounts_passwords_pam_faillock_interval
- accounts_passwords_pam_faillock_unlock_time
- accounts_umask_etc_bashrc

6088
SOURCES/scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch Normal file
View File

File diff suppressed because it is too large Load Diff

843
SOURCES/scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch Normal file
View File

@ -0,0 +1,843 @@
From c5f46d9166d0629740deb3cc5c45d3925345df09 Mon Sep 17 00:00:00 2001
From: Guang Yee <guang.yee@suse.com>
Date: Mon, 11 Jan 2021 12:55:43 -0800
Subject: [PATCH] Enable checks and remediations for the following SLES-12
STIGs:
- SLES-12-010030 'banner_etc_issue'
- SLES-12-010120 'accounts_max_concurrent_login_sessions'
- SLES-12-010450 'encrypt_partitions'
- SLES-12-010460 'dir_perms_world_writable_sticky_bits'
- SLES-12-010500 'package_aide_installed'
- SLES-12-010550 'ensure_gpgcheck_globally_activated'
- SLES-12-010580 'kernel_module_usb-storage_disabled'
- SLES-12-010599 'package_MFEhiplsm_installed'
- SLES-12-010690 'no_files_unowned_by_user'
- SLES-12-030000 'package_telnet-server_removed'
- SLES-12-030010 'ftp_present_banner'
- SLES-12-030050 'sshd_enable_warning_banner'
- SLES-12-030110 'sshd_set_loglevel_verbose'
- SLES-12-030130 'sshd_print_last_log'
- SLES-12-030210 'file_permissions_sshd_pub_key'
- SLES-12-030220 'file_permissions_sshd_private_key'
- SLES-12-030230 'sshd_enable_strictmodes'
- SLES-12-030240 'sshd_use_priv_separation'
- SLES-12-030250 'sshd_disable_compression'
- SLES-12-030340 'auditd_audispd_encrypt_sent_records'
- SLES-12-030360 'sysctl_net_ipv4_conf_all_accept_source_route'
- SLES-12-030361 'sysctl_net_ipv6_conf_all_accept_source_route'
- SLES-12-030370 'sysctl_net_ipv4_conf_default_accept_source_route'
- SLES-12-030420 'sysctl_net_ipv4_conf_default_send_redirects'
---
.../ftp_present_banner/rule.yml | 1 +
.../package_telnet-server_removed/rule.yml | 1 +
.../rule.yml | 1 +
.../file_permissions_sshd_pub_key/rule.yml | 1 +
.../ansible/shared.yml | 2 +-
.../sshd_disable_compression/rule.yml | 1 +
.../sshd_enable_strictmodes/rule.yml | 1 +
.../sshd_enable_warning_banner/rule.yml | 1 +
.../ssh_server/sshd_print_last_log/rule.yml | 1 +
.../sshd_set_loglevel_verbose/rule.yml | 1 +
.../sshd_use_priv_separation/rule.yml | 1 +
.../banner_etc_issue/ansible/shared.yml | 2 +-
.../banner_etc_issue/rule.yml | 4 ++-
.../ansible/shared.yml | 2 +-
.../rule.yml | 2 ++
.../ansible/shared.yml | 2 +-
.../rule.yml | 4 ++-
.../rule.yml | 4 ++-
.../rule.yml | 4 ++-
.../rule.yml | 4 ++-
.../rule.yml | 4 ++-
.../bash/shared.sh | 2 +-
.../rule.yml | 2 ++
.../files/no_files_unowned_by_user/rule.yml | 4 ++-
.../rule.yml | 4 ++-
.../encrypt_partitions/rule.yml | 8 +++++-
.../package_MFEhiplsm_installed/rule.yml | 2 ++
.../aide/package_aide_installed/rule.yml | 3 +++
.../ansible/sle12.yml | 13 ++++++++++
.../rule.yml | 8 +++++-
shared/applicability/general.yml | 4 +++
.../oval/installed_env_has_zypper_package.xml | 25 +++++++++++++++++++
.../kernel_module_disabled/ansible.template | 12 +++++++--
.../kernel_module_disabled/bash.template | 9 ++++++-
.../kernel_module_disabled/oval.template | 5 ++++
sle12/product.yml | 1 +
sle12/profiles/stig.profile | 25 +++++++++++++++++++
37 files changed, 153 insertions(+), 18 deletions(-)
create mode 100644 linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
create mode 100644 shared/checks/oval/installed_env_has_zypper_package.xml
diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
index 35ba09b0d0..3590a085b6 100644
--- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
+++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80248-8
+ cce@sle12: CCE-83059-6
references:
stigid@sle12: SLES-12-030010
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
index 317eecdc3d..619b3f0b7d 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -27,6 +27,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27165-0
cce@rhel8: CCE-82182-7
+ cce@sle12: CCE-83084-4
references:
stigid@ol7: OL07-00-021710
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
index 2e52219ece..d460411667 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27485-2
cce@rhel8: CCE-82424-3
+ cce@sle12: CCE-83058-8
references:
stigid@ol7: OL07-00-040420
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
index e59ddc0770..b9e07d71af 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27311-0
cce@rhel8: CCE-82428-4
+ cce@sle12: CCE-83057-0
references:
stigid@ol7: OL07-00-040410
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
index e07e436d60..f8d422c6c4 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
index fe7e67c1c2..f8eec6a074 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80224-9
cce@rhel8: CCE-80895-6
+ cce@sle12: CCE-83062-0
references:
stigid@ol7: OL07-00-040470
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
index 22b98c71a2..601f6a0ca2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80222-3
cce@rhel8: CCE-80904-6
+ cce@sle12: CCE-83060-4
references:
stigid@ol7: OL07-00-040450
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
index 2199d61ca9..c93ef6340f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27314-4
cce@rhel8: CCE-80905-3
+ cce@sle12: CCE-83066-1
references:
stigid@ol7: OL07-00-040170
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
index a0b8ed38ae..0ce5da30b2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80225-6
cce@rhel8: CCE-82281-7
+ cce@sle12: CCE-83083-6
references:
stigid@ol7: OL07-00-040360
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
index 28ce48de8e..2180398855 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82419-3
cce@rhel8: CCE-82420-1
+ cce@sle12: CCE-83077-8
references:
srg: SRG-OS-000032-GPOS-00013
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
index 14d1acfd22..d65ddb6cd1 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80223-1
cce@rhel8: CCE-80908-7
+ cce@sle12: CCE-83061-2
references:
stigid@ol7: OL07-00-040460
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
index f3a0c85ea5..ff6b6eab42 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
# reboot = false
# strategy = unknown
# complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
index a86ede70f8..637d8ee528 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
title: 'Modify the System Login Banner'
@@ -52,6 +52,7 @@ identifiers:
cce@rhel7: CCE-27303-7
cce@rhel8: CCE-80763-6
cce@rhcos4: CCE-82555-4
+ cce@sle12: CCE-83054-7
references:
stigid@ol7: OL07-00-010050
@@ -64,6 +65,7 @@ references:
srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007
vmmsrg: SRG-OS-000023-VMM-000060,SRG-OS-000024-VMM-000070
stigid@rhel7: RHEL-07-010050
+ stigid@sle12: SLES-12-010030
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
cobit5: DSS05.04,DSS05.10,DSS06.10
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
index 9d50a9d20c..536ac29569 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
index e598f4e8cb..32412aa482 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
@@ -20,6 +20,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82041-5
cce@rhel8: CCE-80955-8
+ cce@sle12: CCE-83065-3
references:
stigid@ol7: OL07-00-040000
@@ -30,6 +31,7 @@ references:
srg: SRG-OS-000027-GPOS-00008
vmmsrg: SRG-OS-000027-VMM-000080
stigid@rhel7: RHEL-07-040000
+ stigid@sle12: SLES-12-010120
isa-62443-2013: 'SR 3.1,SR 3.8'
isa-62443-2009: 4.3.3.4
cobit5: DSS01.05,DSS05.02
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
index 23bcdf8641..007b23ba24 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_sle
# reboot = false
# complexity = low
# disruption = low
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
index 4c27eb11fd..1943a00fb2 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
title: 'Encrypt Audit Records Sent With audispd Plugin'
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80540-8
cce@rhel8: CCE-80926-9
+ cce@sle12: CCE-83063-8
references:
stigid@ol7: OL07-00-030310
@@ -33,6 +34,7 @@ references:
nist: AU-9(3),CM-6(a)
srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
stigid@rhel7: RHEL-07-030310
+ stigid@sle12: SLES-12-030340
ospp: FAU_GEN.1.1.c
ocil_clause: 'audispd is not encrypting audit records when sent over the network'
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
index a3f78cb910..8767a5226f 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces'
@@ -22,6 +22,7 @@ identifiers:
cce@rhel7: CCE-80179-5
cce@rhel8: CCE-81013-5
cce@rhcos4: CCE-82480-5
+ cce@sle12: CCE-83078-6
references:
stigid@ol7: OL07-00-040830
@@ -33,6 +34,7 @@ references:
nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040830
+ stigid@sle12: SLES-12-030361
isa-62443-2013: 'SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.4,4.3.3.4,4.4.3.3
cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
index 0cd3dbc143..7bc4e3b9b7 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces'
@@ -22,6 +22,7 @@ identifiers:
cce@rhel7: CCE-27434-0
cce@rhel8: CCE-81011-9
cce@rhcos4: CCE-82478-9
+ cce@sle12: CCE-83064-6
references:
stigid@ol7: OL07-00-040610
@@ -33,6 +34,7 @@ references:
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040610
+ stigid@sle12: SLES-12-030360
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
index c48ec8de3d..f7ee2e9818 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default'
@@ -22,6 +22,7 @@ identifiers:
cce@rhel7: CCE-80162-1
cce@rhel8: CCE-80920-2
cce@rhcos4: CCE-82479-7
+ cce@sle12: CCE-83079-4
references:
stigid@ol7: OL07-00-040620
@@ -34,6 +35,7 @@ references:
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040620
+ stigid@sle12: SLES-12-030370
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
index ddf6b07758..861c3485f3 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default'
@@ -19,6 +19,7 @@ identifiers:
cce@rhel7: CCE-80999-6
cce@rhel8: CCE-80921-0
cce@rhcos4: CCE-82485-4
+ cce@sle12: CCE-83086-9
references:
stigid@ol7: OL07-00-040650
@@ -31,6 +32,7 @@ references:
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040650
+ stigid@sle12: SLES-12-030420
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
index 0a829df187..e49942d1cc 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle
df --local -P | awk '{if (NR!=1) print $6}' \
| xargs -I '{}' find '{}' -xdev -type d \
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
index d04df8df86..5bb3cf3713 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
@@ -34,6 +34,7 @@ identifiers:
cce@rhel7: CCE-80130-8
cce@rhel8: CCE-80783-4
cce@rhcos4: CCE-82753-5
+ cce@sle12: CCE-83047-1
references:
cis@rhe8: 1.1.21
@@ -46,6 +47,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
cis@sle15: 1.1.22
+ stigid@sle12: SLES-12-010460
ocil_clause: 'any world-writable directories are missing the sticky bit'
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
index e664cf9215..faab0b8822 100644
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
title: 'Ensure All Files Are Owned by a User'
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80134-0
cce@rhel8: CCE-83499-4
+ cce@sle12: CCE-83072-9
references:
stigid@ol7: OL07-00-020320
@@ -40,6 +41,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 11,12,13,14,15,16,18,3,5,9
cis@sle15: 6.1.11
+ stigid@sle12: SLES-12-010690
ocil_clause: 'files exist that are not owned by a valid user'
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
index c78b570efb..24e77cc74e 100644
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
title: 'Disable Modprobe Loading of USB Storage Driver'
@@ -22,6 +22,7 @@ identifiers:
cce@rhel7: CCE-27277-3
cce@rhel8: CCE-80835-2
cce@rhcos4: CCE-82719-6
+ cce@sle12: CCE-83069-5
references:
stigid@ol7: OL07-00-020100
@@ -39,6 +40,7 @@ references:
cis-csc: 1,12,15,16,5
cis@rhel8: 1.1.23
cis@sle15: 1.1.3
+ stigid@sle12: SLES-12-010580
{{{ complete_ocil_entry_module_disable(module="usb-storage") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index 80d1856778..fe370a4323 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4,sle12
title: 'Encrypt Partitions'
@@ -14,6 +14,7 @@ description: |-
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
+ {{% if product != "sle12" %}}
<br /><br />
For automated/unattended installations, it is possible to use Kickstart by adding
the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to the definition of each partition to be
@@ -26,11 +27,14 @@ description: |-
<br /><br />
By default, the <tt>Anaconda</tt> installer uses <tt>aes-xts-plain64</tt> cipher
with a minimum <tt>512</tt> bit key size which should be compatible with FIPS enabled.
+ {{% endif %}}
<br /><br />
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the {{{ full_name }}} Documentation web site:<br />
{{% if product in ["ol7", "ol8"] %}}
{{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54670/html/ol7-encrypt-sec.html") }}}.
+ {{% elif product == "sle12" %}}
+ {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
{{% else %}}
{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
{{% endif %}}
@@ -45,6 +49,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27128-8
cce@rhel8: CCE-80789-1
+ cce@sle12: CCE-83046-3
references:
cui: 3.13.16
@@ -58,6 +63,7 @@ references:
isa-62443-2013: 'SR 3.4,SR 4.1,SR 5.2'
cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06
cis-csc: 13,14
+ stigid@sle12: SLES-12-010450
ocil_clause: 'partitions do not have a type of crypto_LUKS'
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
index f96cfc925b..c0bf1ee908 100644
--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80368-4
+ cce@sle12: CCE-83071-1
references:
disa: CCI-000366,CCI-001263
@@ -31,6 +32,7 @@ references:
iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.3,A.12.5.1,A.12.6.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.7,A.14.2.8,A.15.2.1,A.16.1.1,A.16.1.2,A.16.1.3,A.16.1.4,A.16.1.5,A.16.1.6,A.16.1.7,A.18.1.4,A.18.2.2,A.18.2.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,Clause 16.1.2,Clause 7.4'
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
stigid@rhel7: RHEL-07-020019
+ stigid@sle12: SLES-12-010599
ocil_clause: 'the HBSS HIPS module is not installed'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
index 699992b48c..23e939bbec 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27096-7
cce@rhel8: CCE-80844-4
+ cce@sle12: CCE-83048-9
references:
cis@rhel8: 1.4.1
@@ -30,6 +31,8 @@ references:
srg: SRG-OS-000363-GPOS-00150
cis@sle15: 1.4.1
ism: 1034,1288,1341,1417
+ stigid@sle12: SLES-12-010500
+ disa@sle12: CCI-002699
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
new file mode 100644
index 0000000000..6fca48166a
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+- name: Ensure GPG check is globally activated (zypper)
+ ini_file:
+ dest: /etc/zypp/zypp.conf
+ section: main
+ option: gpgcheck
+ value: 1
+ no_extra_spaces: yes
+ create: False
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
index 24cef5499c..1f86aff1e9 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration'
@@ -33,6 +33,7 @@ severity: high
identifiers:
cce@rhel7: CCE-26989-4
cce@rhel8: CCE-80790-9
+ cce@sle12: CCE-83068-7
references:
stigid@ol7: OL07-00-020050
@@ -54,6 +55,7 @@ references:
iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,2,3,9
anssi: BP28(R15)
+ stigid@sle12: SLES-12-010550
ocil_clause: 'GPG checking is not enabled'
@@ -66,4 +68,8 @@ ocil: |-
<tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is
disabled.
+{{% if product == 'sle12' %}}
+platform: zypper
+{{% else %}}
platform: yum
+{{% endif %}}
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index a6581fd713..7382b7dd30 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -74,3 +74,7 @@ cpes:
title: "Package yum is installed"
check_id: installed_env_has_yum_package
+ - zypper:
+ name: "cpe:/a:zypper"
+ title: "Package zypper is installed"
+ check_id: installed_env_has_zypper_package
diff --git a/shared/checks/oval/installed_env_has_zypper_package.xml b/shared/checks/oval/installed_env_has_zypper_package.xml
new file mode 100644
index 0000000000..cf14e6af3c
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_zypper_package.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="inventory"
+ id="installed_env_has_zypper_package" version="1">
+ <metadata>
+ <title>Package zypper is installed</title>
+ <affected family="unix">
+ <platform>multi_platform_sle</platform>
+ </affected>
+ <description>Checks if package zypper is installed.</description>
+ <reference ref_id="cpe:/a:zypper" source="CPE" />
+ </metadata>
+ <criteria>
+ <criterion comment="Package zypper is installed" test_ref="test_env_has_zypper_installed" />
+ </criteria>
+ </definition>
+
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+ id="test_env_has_zypper_installed" version="1"
+ comment="system has package zypper installed">
+ <linux:object object_ref="obj_env_has_zypper_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_object id="obj_env_has_zypper_installed" version="1">
+ <linux:name>zypper</linux:name>
+ </linux:rpminfo_object>
+</def-group>
diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template
index 47deee6e54..c4a83ad325 100644
--- a/shared/templates/kernel_module_disabled/ansible.template
+++ b/shared/templates/kernel_module_disabled/ansible.template
@@ -1,12 +1,20 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
# reboot = true
# strategy = disable
# complexity = low
# disruption = medium
+{{% if product == "sle12" %}}
+- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
+ lineinfile:
+ create: yes
+ dest: "/etc/modprobe.d/50-blacklist.conf"
+ regexp: '^blacklist {{{ KERNMODULE }}}$'
+ line: "blacklist {{{ KERNMODULE }}}"
+{{% else %}}
- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
lineinfile:
create: yes
dest: "/etc/modprobe.d/{{{ KERNMODULE }}}.conf"
regexp: '{{{ KERNMODULE }}}'
line: "install {{{ KERNMODULE }}} /bin/true"
-
+{{% endif %}}
diff --git a/shared/templates/kernel_module_disabled/bash.template b/shared/templates/kernel_module_disabled/bash.template
index 42c0830b5f..f70a9925cd 100644
--- a/shared/templates/kernel_module_disabled/bash.template
+++ b/shared/templates/kernel_module_disabled/bash.template
@@ -1,11 +1,18 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
# reboot = true
# strategy = disable
# complexity = low
# disruption = medium
+{{% if product == "sle12" %}}
+if ! LC_ALL=C grep -q -m 1 "^blacklist {{{ KERNMODULE }}}$" /etc/modprobe.d/50-blacklist.conf ; then
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/50-blacklist.conf
+ echo "blacklist {{{ KERNMODULE }}}" >> /etc/modprobe.d/50-blacklist.conf
+fi
+{{% else %}}
if LC_ALL=C grep -q -m 1 "^install {{{ KERNMODULE }}}" /etc/modprobe.d/{{{ KERNMODULE }}}.conf ; then
sed -i 's/^install {{{ KERNMODULE }}}.*/install {{{ KERNMODULE }}} /bin/true/g' /etc/modprobe.d/{{{ KERNMODULE }}}.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
echo "install {{{ KERNMODULE }}} /bin/true" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
fi
+{{% endif %}}
diff --git a/shared/templates/kernel_module_disabled/oval.template b/shared/templates/kernel_module_disabled/oval.template
index e5a7aaa8b4..737ae3c796 100644
--- a/shared/templates/kernel_module_disabled/oval.template
+++ b/shared/templates/kernel_module_disabled/oval.template
@@ -54,9 +54,14 @@
<ind:textfilecontent54_object id="obj_kernmod_{{{ KERNMODULE }}}_disabled"
version="1" comment="kernel module {{{ KERNMODULE }}} disabled">
+ {{% if product == "sle12" %}}
+ <ind:filepath>/etc/modprobe.d/50-blacklist.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^blacklist\s+{{{ KERNMODULE }}}$</ind:pattern>
+ {{% else %}}
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
<ind:pattern operation="pattern match">^\s*install\s+{{{ KERNMODULE }}}\s+(/bin/false|/bin/true)$</ind:pattern>
+ {{% endif %}}
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/sle12/product.yml b/sle12/product.yml
index e465a6d687..d83ad88c21 100644
--- a/sle12/product.yml
+++ b/sle12/product.yml
@@ -9,6 +9,7 @@ profiles_root: "./profiles"
init_system: "systemd"
pkg_manager: "zypper"
+pkg_manager_config_file: "/etc/zypp/zypp.conf"
oval_feed_url: "https://support.novell.com/security/oval/suse.linux.enterprise.12.xml"
cpes_root: "../shared/applicability"
diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
index 6cf3339569..15c4f70336 100644
--- a/sle12/profiles/stig.profile
+++ b/sle12/profiles/stig.profile
@@ -12,34 +12,59 @@ selections:
- account_temp_expire_date
- accounts_have_homedir_login_defs
- accounts_logon_fail_delay
+ - accounts_max_concurrent_login_sessions
- accounts_maximum_age_login_defs
+ - accounts_minimum_age_login_defs
- accounts_no_uid_except_zero
- accounts_password_set_max_life_existing
- accounts_password_set_min_life_existing
- accounts_umask_etc_login_defs
+ - auditd_audispd_encrypt_sent_records
- auditd_data_disk_full_action
- auditd_data_retention_action_mail_acct
- auditd_data_retention_space_left
+ - banner_etc_issue
- banner_etc_motd
+ - dir_perms_world_writable_sticky_bits
- disable_ctrlaltdel_reboot
+ - encrypt_partitions
+ - ensure_gpgcheck_globally_activated
+ - file_permissions_sshd_private_key
+ - file_permissions_sshd_pub_key
+ - ftp_present_banner
- gnome_gdm_disable_automatic_login
- grub2_password
- grub2_uefi_password
- installed_OS_is_vendor_supported
+ - kernel_module_usb-storage_disabled
- no_empty_passwords
+ - no_files_unowned_by_user
- no_host_based_files
- no_user_host_based_files
+ - package_MFEhiplsm_installed
+ - package_aide_installed
- package_audit-audispd-plugins_installed
- package_audit_installed
+ - package_telnet-server_removed
- postfix_client_configure_mail_alias
- security_patches_up_to_date
- service_auditd_enabled
- set_password_hashing_algorithm_logindefs
+ - sshd_disable_compression
- sshd_disable_empty_passwords
- sshd_disable_user_known_hosts
- sshd_do_not_permit_user_env
+ - sshd_enable_strictmodes
+ - sshd_enable_warning_banner
- sshd_enable_x11_forwarding
+ - sshd_print_last_log
- sshd_set_idle_timeout
- sshd_set_keepalive
+ - sshd_set_loglevel_verbose
+ - sshd_use_priv_separation
- sudo_remove_no_authenticate
- sudo_remove_nopasswd
+ - sysctl_net_ipv4_conf_all_accept_source_route
+ - sysctl_net_ipv4_conf_default_accept_source_route
+ - sysctl_net_ipv4_conf_default_send_redirects
+ - sysctl_net_ipv6_conf_all_accept_source_route

1313
SOURCES/scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch Normal file
View File

File diff suppressed because it is too large Load Diff

259
SOURCES/scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch Normal file
View File

@ -0,0 +1,259 @@
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
index abcebf60c7..50c7d689af 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
@@ -61,7 +61,6 @@ references:
nist-csf: PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-1,PR.PT-1,PR.PT-3,PR.PT-4
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
- stigid@rhel7: RHEL-07-040110
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
isa-62443-2009: 4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO11.04,APO13.01,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10,MEA02.01
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
new file mode 100644
index 0000000000..4796a2eab1
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
@@ -0,0 +1,13 @@
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "Configure sshd to use approved ciphers"
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'
+ state: present
+ regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
+ create: True
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
new file mode 100644
index 0000000000..8f751ed516
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
+
+if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then
+ sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
+else
+ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
new file mode 100644
index 0000000000..53ff0a2a9e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
@@ -0,0 +1,38 @@
+<def-group>
+ <definition class="compliance" id="sshd_use_approved_ciphers_ordered_stig" version="1">
+ {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}}
+ <criteria operator="AND">
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
+ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+ <criteria comment="sshd is not installed" operator="AND">
+ <extend_definition comment="sshd is not required or requirement is unset"
+ definition_ref="sshd_not_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server removed"
+ definition_ref="package_openssh-server_removed" />
+ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server installed"
+ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check the Cipers list in /etc/ssh/sshd_config"
+ test_ref="test_sshd_use_approved_ciphers_ordered_stig" />
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="tests the value of Ciphers setting in the /etc/ssh/sshd_config file"
+ id="test_sshd_use_approved_ciphers_ordered_stig" version="1">
+ <ind:object object_ref="obj_sshd_use_approved_ciphers_ordered_stig" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers_ordered_stig" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
new file mode 100644
index 0000000000..0751064179
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
@@ -0,0 +1,64 @@
+documentation_complete: true
+
+prodtype: rhel7
+
+title: 'Use Only FIPS 140-2 Validated Ciphers'
+
+description: |-
+ Limit the ciphers to those algorithms which are FIPS-approved.
+ The following line in <tt>/etc/ssh/sshd_config</tt>
+ demonstrates use of FIPS-approved ciphers:
+ <pre>Ciphers aes256-ctr,aes192-ctr,aes128-ctr</pre>
+ This rule ensures that there are configured ciphers mentioned
+ above (or their subset), keeping the given order of algorithms.
+
+rationale: |-
+ Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
+ cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
+ <br />
+ Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
+ cryptographic modules.
+ <br />
+ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
+ utilize authentication that meets industry and government requirements. For government systems, this allows
+ Security Levels 1, 2, 3, or 4 for use on {{{ full_name }}}.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83398-8
+
+references:
+ disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
+ srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+ stigid@rhel7: RHEL-07-040110
+
+ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
+
+ocil: |-
+ Only FIPS ciphers should be used. To verify that only FIPS-approved
+ ciphers are in use, run the following command:
+ <pre>$ sudo grep Ciphers /etc/ssh/sshd_config</pre>
+ The output should contain only following ciphers (or a subset) in the exact order:
+ <pre>aes256-ctr,aes192-ctr,aes128-ctr</pre>
+
+warnings:
+ - general: |-
+ The system needs to be rebooted for these changes to take effect.
+ - regulatory: |-
+ System Crypto Modules must be provided by a vendor that undergoes
+ FIPS-140 certifications.
+ FIPS-140 is applicable to all Federal agencies that use
+ cryptographic-based security systems to protect sensitive information
+ in computer and telecommunication systems (including voice systems) as
+ defined in Section 5131 of the Information Technology Management Reform
+ Act of 1996, Public Law 104-106. This standard shall be used in
+ designing and implementing cryptographic modules that Federal
+ departments and agencies operate or are operated for them under
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+ To meet this, the system has to have cryptographic software provided by
+ a vendor that has undergone this certification. This means providing
+ documentation, test results, design information, and independent third
+ party review by an accredited lab. While open source software is
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
+ submits to this process.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
new file mode 100644
index 0000000000..daff7d7c53
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/# ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
+else
+ echo "# ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
new file mode 100644
index 0000000000..b9d22262af
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
+else
+ echo "Ciphers aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
new file mode 100644
index 0000000000..b99d3832cd
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config
+else
+ echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..6dfd54631c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
+else
+ echo 'ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
new file mode 100644
index 0000000000..7b38914a1a
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
new file mode 100644
index 0000000000..6fdb47093d
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/Ciphers /" /etc/ssh/sshd_config
+else
+ echo 'Ciphers ' >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..24fdf0f30d
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/ Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
+else
+ echo " Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
+fi
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 6c06a8ede6..adf86894e1 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -239,8 +239,7 @@ selections:
- install_antivirus
- accounts_max_concurrent_login_sessions
- configure_firewalld_ports
- - sshd_approved_ciphers=stig
- - sshd_use_approved_ciphers
+ - sshd_use_approved_ciphers_ordered_stig
- accounts_tmout
- sshd_enable_warning_banner
- sssd_ldap_start_tls

386
SOURCES/scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch Normal file
View File

@ -0,0 +1,386 @@
From 5f8f98024f8955a0327b67f873923757a51d082c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 19 Jan 2021 12:32:07 +0100
Subject: [PATCH 1/7] add rule and remediations
---
.../ansible/shared.yml | 13 +++++
.../bash/shared.sh | 7 +++
.../oval/shared.xml | 38 +++++++++++++
.../rule.yml | 57 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 1 -
5 files changed, 115 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
new file mode 100644
index 0000000000..cefba7db05
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
@@ -0,0 +1,13 @@
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "Configure sshd to use approved MACs"
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ line: 'MACs hmac-sha2-512,hmac-sha2-256'
+ state: present
+ regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
+ create: True
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
new file mode 100644
index 0000000000..c76190fb96
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
+
+if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
+ sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
+else
+ echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
new file mode 100644
index 0000000000..d7fbd9f0ed
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
@@ -0,0 +1,38 @@
+<def-group>
+ <definition class="compliance" id="sshd_use_approved_macs_ordered_stig" version="1">
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
+ <criteria operator="AND">
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
+ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+ <criteria comment="sshd is not installed" operator="AND">
+ <extend_definition comment="sshd is not required or requirement is unset"
+ definition_ref="sshd_not_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server removed"
+ definition_ref="package_openssh-server_removed" />
+ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server installed"
+ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check MACs in /etc/ssh/sshd_config"
+ test_ref="test_sshd_use_approved_macs_ordered_stig" />
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="tests the value of MACs setting in the /etc/ssh/sshd_config file"
+ id="test_sshd_use_approved_macs_ordered_stig" version="1">
+ <ind:object object_ref="obj_sshd_use_approved_macs_ordered_stig" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
new file mode 100644
index 0000000000..dc9f7dca7c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
@@ -0,0 +1,57 @@
+documentation_complete: true
+
+prodtype: rhel7
+
+title: 'Use Only FIPS 140-2 Validated MACs'
+
+description: |-
+ Limit the MACs to those hash algorithms which are FIPS-approved.
+ The following line in <tt>/etc/ssh/sshd_config</tt>
+ demonstrates use of FIPS-approved MACs:
+ <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
+ This rule ensures that there are configured MACs mentioned
+ above (or their subset), keeping the given order of algorithms.
+
+rationale: |-
+ DoD Information Systems are required to use FIPS-approved cryptographic hash
+ functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83398-8
+
+references:
+ disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
+ srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
+ stigid@rhel7: RHEL-07-040400
+
+ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
+
+ocil: |-
+ Only FIPS-approved MACs should be used. To verify that only FIPS-approved
+ MACs are in use, run the following command:
+ <pre>$ sudo grep -i macs /etc/ssh/sshd_config</pre>
+ The output should contain only following MACs (or a subset) in the exact order:
+ <pre>hmac-sha2-512,hmac-sha2-256</pre>
+
+warnings:
+ - general: |-
+ The system needs to be rebooted for these changes to take effect.
+ - regulatory: |-
+ System Crypto Modules must be provided by a vendor that undergoes
+ FIPS-140 certifications.
+ FIPS-140 is applicable to all Federal agencies that use
+ cryptographic-based security systems to protect sensitive information
+ in computer and telecommunication systems (including voice systems) as
+ defined in Section 5131 of the Information Technology Management Reform
+ Act of 1996, Public Law 104-106. This standard shall be used in
+ designing and implementing cryptographic modules that Federal
+ departments and agencies operate or are operated for them under
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+ To meet this, the system has to have cryptographic software provided by
+ a vendor that has undergone this certification. This means providing
+ documentation, test results, design information, and independent third
+ party review by an accredited lab. While open source software is
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
+ submits to this process.
From 18ea3b8671e15c06a5c1c864d9d1d67f4262189e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 19 Jan 2021 12:32:25 +0100
Subject: [PATCH 2/7] add tests
---
.../tests/comment.fail.sh | 7 +++++++
.../tests/correct_reduced_list.pass.sh | 7 +++++++
.../tests/correct_scrambled.fail.sh | 7 +++++++
.../tests/correct_value.pass.sh | 7 +++++++
.../tests/line_not_there.fail.sh | 3 +++
.../tests/no_parameters.fail.sh | 7 +++++++
.../tests/wrong_value.fail.sh | 7 +++++++
7 files changed, 45 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
new file mode 100644
index 0000000000..26bf18234c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/# MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
+else
+ echo "# ciphers MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
new file mode 100644
index 0000000000..0d922cdee9
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/MACs hmac-sha2-512/" /etc/ssh/sshd_config
+else
+ echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
new file mode 100644
index 0000000000..ce3f459352
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/" /etc/ssh/sshd_config
+else
+ echo "MACs hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..19da7102a7
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
+else
+ echo 'MACs hmac-sha2-512,hmac-sha2-256' >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
new file mode 100644
index 0000000000..fd1f19347a
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i "/^MACs.*/d" /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
new file mode 100644
index 0000000000..44c07c6de0
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/MACs /" /etc/ssh/sshd_config
+else
+ echo 'MACs ' >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..cf56cd228f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256,blahblah/" /etc/ssh/sshd_config
+else
+ echo "MACs hmac-sha2-512,hmac-sha2-256,blahblah" >> /etc/ssh/sshd_config
+fi
From a334b4b434adf92c94b8bd6bb888751782e70ad3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 19 Jan 2021 12:32:58 +0100
Subject: [PATCH 3/7] modify rhel7 stig profile
---
rhel7/profiles/stig.profile | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 6c06a8ede6..17c781d3eb 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -28,7 +28,6 @@ selections:
- inactivity_timeout_value=15_minutes
- var_screensaver_lock_delay=5_seconds
- sshd_idle_timeout_value=10_minutes
- - sshd_approved_macs=stig
- var_accounts_fail_delay=4
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
@@ -259,7 +258,7 @@ selections:
- sshd_print_last_log
- sshd_disable_root_login
- sshd_allow_only_protocol2
- - sshd_use_approved_macs
+ - sshd_use_approved_macs_ordered_stig
- file_permissions_sshd_pub_key
- file_permissions_sshd_private_key
- sshd_disable_gssapi_auth
From df71fc735efa8754a73fab5d355d422c6e0ffa53 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 19 Jan 2021 12:33:10 +0100
Subject: [PATCH 4/7] remove rhel7 stigid from sshd_use_approved_macs
---
.../services/ssh/ssh_server/sshd_use_approved_macs/rule.yml | 1 -
1 file changed, 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
index 394c733f51..d47eb443f5 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
@@ -54,7 +54,6 @@ references:
nist-csf: PR.AC-1,PR.AC-3,PR.DS-5,PR.PT-4
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000480-VMM-002000,SRG-OS-000396-VMM-001590
- stigid@rhel7: RHEL-07-040400
stigid@sle12: SLES-12-030180
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.6,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
isa-62443-2009: 4.3.3.5.1,4.3.3.6.6
From 9c24aaaba67f0123a82335672fd25aacd913caa4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 Jan 2021 11:43:16 +0100
Subject: [PATCH 5/7] simplify regex
---
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
index d7fbd9f0ed..5973488661 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
@@ -31,7 +31,7 @@
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
From e3973f4c2988308a2d1a18e67a730a059f791336 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 Jan 2021 11:55:19 +0100
Subject: [PATCH 6/7] make bash remediation more readable
---
.../sshd_use_approved_macs_ordered_stig/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
index c76190fb96..f8f6f39bee 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
-if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
+if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then
sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
else
echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
From e5c379ac8cbd7bd42b116d3a5473a78406a662fd Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 Jan 2021 13:05:18 +0100
Subject: [PATCH 7/7] one more small fix to oval regex
---
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
index 5973488661..b5443b07c4 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
@@ -31,7 +31,7 @@
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>

30
SOURCES/scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch Normal file
View File

@ -0,0 +1,30 @@
From e5399b7bf17d5bdb995851b3d2a27f3ab2e6066a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 18 Jan 2021 15:21:51 +0100
Subject: [PATCH] Supress Ansible lint error 503
It says that Tasks that run when changed should likely be handlers.
However, we don't use handlers, and developer guide says that handlers
aren't supported. I assume handlers would cause problems for SCAP
scanners. Unless we start to support handlers this error isn't fixable
for us therefore we can suppress it globally.
Addressing problems in scap-security-guide-lint-check Jenkins job:
30/48 Test #260: ansible-playbook-ansible-lint-check-rhel8 .........***Failed 630.77 sec
all/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
anssi_bp28_enhanced/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
anssi_bp28_high/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
anssi_bp28_intermediary/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
---
tests/ansible-lint_config.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/ansible-lint_config.yml b/tests/ansible-lint_config.yml
index d5107476a9..e4b4443f8c 100644
--- a/tests/ansible-lint_config.yml
+++ b/tests/ansible-lint_config.yml
@@ -3,3 +3,4 @@ skip_list:
- '301' # Commands should not change things if nothing needs doing
- '303' # Using command rather than module
- '403' # Package installs should not use latest
+ - '503' # Tasks that run when changed should likely be handlers

73
SOURCES/scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch Normal file
View File

@ -0,0 +1,73 @@
From 35eb6ba272c4ca0b7bae1c10af182e59e3e52c6a Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 15 Jan 2021 16:28:07 +0100
Subject: [PATCH] RHEL-07-040710 now configures X11Forwarding to disable.
---
.../sshd_disable_x11_forwarding/rule.yml | 19 ++++++++++---------
.../sshd_enable_x11_forwarding/rule.yml | 1 -
rhel7/profiles/stig.profile | 2 +-
3 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index 1779129f87..7da2e067a6 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -19,22 +19,23 @@ rationale: |-
other users on the X11 server. Note that even if X11 forwarding is disabled,
users can always install their own forwarders.
-severity: low
+severity: medium
-ocil_clause: "that the X11Forwarding option exists and is enabled"
-
-ocil: |-
- {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}
+{{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}}
identifiers:
cce@rhel7: CCE-83359-0
cce@rhel8: CCE-83360-8
references:
- cis@rhel7: 5.2.4
- cis@rhel8: 5.2.6
- cis@sle12: 5.2.4
- cis@sle15: 5.2.6
+ cis@rhel7: 5.2.4
+ cis@rhel8: 5.2.6
+ cis@sle12: 5.2.4
+ cis@sle15: 5.2.6
+ stigid@rhel7: RHEL-07-040710
+ srg: SRG-OS-000480-GPOS-00227
+ disa: CCI-000366
+ nist: CM-6(b)
template:
name: sshd_lineinfile
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
index 803e581a0f..87c3cb7f5a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
@@ -29,7 +29,6 @@ references:
nist: CM-6(a),AC-17(a),AC-17(2)
nist-csf: DE.AE-1,PR.DS-7,PR.IP-1
srg: SRG-OS-000480-GPOS-00227
- stigid@rhel7: RHEL-07-040710
stigid@sle12: SLES-12-030260
isa-62443-2013: 'SR 7.6'
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 817e0982e5..6c06a8ede6 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -285,7 +285,7 @@ selections:
- postfix_prevent_unrestricted_relay
- package_vsftpd_removed
- package_tftp-server_removed
- - sshd_enable_x11_forwarding
+ - sshd_disable_x11_forwarding
- sshd_x11_use_localhost
- tftpd_uses_secure_mode
- package_xorg-x11-server-common_removed

688
SOURCES/scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch Normal file
View File

@ -0,0 +1,688 @@
From e3dd773f905114c1d16ac3283611218a685f1722 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Feb 2021 09:17:15 +0100
Subject: [PATCH 1/5] Remove extends key from ANSSI intermediary profile
This is not necessary as the ANSSI controls file handles this.
---
rhel8/profiles/anssi_bp28_intermediary.profile | 1 -
1 file changed, 1 deletion(-)
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
index 64a9b542a0..4d0029af1d 100644
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -7,7 +7,6 @@ description:
Agence nationale de la sécurité des systèmes d''information. Based on
https://www.ssi.gouv.fr/.
-extends: anssi_bp28_minimal
selections:
- anssi:all:intermediary
From 48845dbde69e69a043fc90622f21dc73d6a72018 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Feb 2021 09:21:47 +0100
Subject: [PATCH 2/5] Update title and descriptions of ANSSI profiles
---
controls/anssi.yml | 2 +-
rhel7/profiles/anssi_nt28_enhanced.profile | 12 +++++++++---
rhel7/profiles/anssi_nt28_high.profile | 12 +++++++++---
rhel7/profiles/anssi_nt28_intermediary.profile | 14 ++++++++++----
rhel7/profiles/anssi_nt28_minimal.profile | 14 ++++++++++----
rhel8/profiles/anssi_bp28_enhanced.profile | 12 ++++++++----
rhel8/profiles/anssi_bp28_high.profile | 14 +++++++++-----
rhel8/profiles/anssi_bp28_intermediary.profile | 11 +++++++----
rhel8/profiles/anssi_bp28_minimal.profile | 12 ++++++++----
9 files changed, 71 insertions(+), 32 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 2173d23f9d..54c05245b7 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -1,5 +1,5 @@
policy: 'ANSSI-BP-028'
-title: 'ANSSI-BP-028'
+title: 'Configuration Recommendations of a GNU/Linux System'
id: anssi
version: '1.2'
source: https://www.ssi.gouv.fr/uploads/2019/03/linux_configuration-en-v1.2.pdf
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
index 5893d12dbd..49fa8593fe 100644
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
@@ -1,9 +1,15 @@
documentation_complete: true
-title: 'DRAFT - ANSSI DAT-BP28 (enhanced)'
+title: 'ANSSI BP-028 (enhanced)'
-description: 'Draft profile for ANSSI compliance at the enhanced level. ANSSI stands for Agence nationale de la sécurité des
- systèmes d''information. Based on https://www.ssi.gouv.fr/.'
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:enhanced
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
index 52ae1dd6d2..2853f20607 100644
--- a/rhel7/profiles/anssi_nt28_high.profile
+++ b/rhel7/profiles/anssi_nt28_high.profile
@@ -1,9 +1,15 @@
documentation_complete: true
-title: 'DRAFT - ANSSI DAT-BP28 (high)'
+title: 'DRAFT - ANSSI BP-028 (high)'
-description: 'Draft profile for ANSSI compliance at the high level. ANSSI stands for Agence nationale de la sécurité des systèmes
- d''information. Based on https://www.ssi.gouv.fr/.'
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:high
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
index e18225247b..55f985a7a9 100644
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
@@ -1,10 +1,16 @@
# Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
documentation_complete: true
-title: 'DRAFT - ANSSI DAT-BP28 (intermediary)'
+title: 'ANSSI BP-028 (intermediary)'
-description: 'Draft profile for ANSSI compliance at the intermediary level. ANSSI stands for Agence nationale de la sécurité
- des systèmes d''information. Based on https://www.ssi.gouv.fr/.'
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- - anssi:all:intermediary
+ - anssi:all:intermediary
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
index 214f37d14b..7786a26b45 100644
--- a/rhel7/profiles/anssi_nt28_minimal.profile
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
@@ -1,9 +1,15 @@
documentation_complete: true
-title: 'DRAFT - ANSSI DAT-BP28 (minimal)'
+title: 'ANSSI BP-028 (minimal)'
-description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des
- systèmes d''information. Based on https://www.ssi.gouv.fr/.'
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- - anssi:all:minimal
+ - anssi:all:minimal
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
index 4c39852b65..49fa8593fe 100644
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
@@ -2,10 +2,14 @@ documentation_complete: true
title: 'ANSSI BP-028 (enhanced)'
-description:
- ANSSI BP-028 compliance at the enhanced level. ANSSI stands for
- Agence nationale de la sécurité des systèmes d'information. Based on
- https://www.ssi.gouv.fr/.
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:enhanced
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index 6b0489e0f1..2853f20607 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -1,11 +1,15 @@
documentation_complete: false
-title: 'ANSSI BP-028 (high)'
+title: 'DRAFT - ANSSI BP-028 (high)'
-description:
- ANSSI BP-028 compliance at the high level. ANSSI stands for
- Agence nationale de la sécurité des systèmes d'information. Based on
- https://www.ssi.gouv.fr/.
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:high
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
index 4d0029af1d..50ab1ba0b8 100644
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -2,11 +2,14 @@ documentation_complete: true
title: 'ANSSI BP-028 (intermediary)'
-description:
- ANSSI BP-028 compliance at the intermediary level. ANSSI stands for
- Agence nationale de la sécurité des systèmes d''information. Based on
- https://www.ssi.gouv.fr/.
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:intermediary
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
index d8f076c3e7..d477d34787 100644
--- a/rhel8/profiles/anssi_bp28_minimal.profile
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
@@ -2,10 +2,14 @@ documentation_complete: true
title: 'ANSSI BP-028 (minimal)'
-description:
- ANSSI BP-028 compliance at the minimal level. ANSSI stands for
- Agence nationale de la sécurité des systèmes d'information. Based on
- https://www.ssi.gouv.fr/.
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:minimal
From 5ea9fe70c78df6c4278aec71b9ab000a9884cea7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Feb 2021 12:23:14 +0100
Subject: [PATCH 3/5] Add missing hyphen in ANSSI profiles descriptions
---
rhel7/profiles/anssi_nt28_enhanced.profile | 8 ++++----
rhel7/profiles/anssi_nt28_high.profile | 8 ++++----
rhel7/profiles/anssi_nt28_intermediary.profile | 8 ++++----
rhel7/profiles/anssi_nt28_minimal.profile | 8 ++++----
rhel8/profiles/anssi_bp28_enhanced.profile | 8 ++++----
rhel8/profiles/anssi_bp28_high.profile | 8 ++++----
rhel8/profiles/anssi_bp28_intermediary.profile | 8 ++++----
rhel8/profiles/anssi_bp28_minimal.profile | 8 ++++----
8 files changed, 32 insertions(+), 32 deletions(-)
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
index 49fa8593fe..411f0c03aa 100644
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'ANSSI BP-028 (enhanced)'
+title: 'ANSSI-BP-028 (enhanced)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
index 2853f20607..d9147b2dd0 100644
--- a/rhel7/profiles/anssi_nt28_high.profile
+++ b/rhel7/profiles/anssi_nt28_high.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'DRAFT - ANSSI BP-028 (high)'
+title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
index 55f985a7a9..6e39a978e5 100644
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
@@ -1,15 +1,15 @@
# Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
documentation_complete: true
-title: 'ANSSI BP-028 (intermediary)'
+title: 'ANSSI-BP-028 (intermediary)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
index 7786a26b45..f0a77bccd7 100644
--- a/rhel7/profiles/anssi_nt28_minimal.profile
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'ANSSI BP-028 (minimal)'
+title: 'ANSSI-BP-028 (minimal)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
index 49fa8593fe..411f0c03aa 100644
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'ANSSI BP-028 (enhanced)'
+title: 'ANSSI-BP-028 (enhanced)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index 2853f20607..d9147b2dd0 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -1,14 +1,14 @@
documentation_complete: false
-title: 'DRAFT - ANSSI BP-028 (high)'
+title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
index 50ab1ba0b8..6dcd2b8ef2 100644
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'ANSSI BP-028 (intermediary)'
+title: 'ANSSI-BP-028 (intermediary)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
index d477d34787..54e8cbd5a6 100644
--- a/rhel8/profiles/anssi_bp28_minimal.profile
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'ANSSI BP-028 (minimal)'
+title: 'ANSSI-BP-028 (minimal)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
From c111061d6f1b9c134cc4cff1b712c44f271bcf42 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 5 Feb 2021 11:11:57 +0100
Subject: [PATCH 4/5] Fix ANSSI document number for consistency
---
rhel7/profiles/anssi_nt28_enhanced.profile | 2 +-
rhel7/profiles/anssi_nt28_high.profile | 2 +-
rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
rhel7/profiles/anssi_nt28_minimal.profile | 2 +-
rhel8/profiles/anssi_bp28_enhanced.profile | 2 +-
rhel8/profiles/anssi_bp28_high.profile | 2 +-
rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
rhel8/profiles/anssi_bp28_minimal.profile | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
index 411f0c03aa..846ace9002 100644
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (enhanced)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
index d9147b2dd0..e4db830291 100644
--- a/rhel7/profiles/anssi_nt28_high.profile
+++ b/rhel7/profiles/anssi_nt28_high.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
index 6e39a978e5..4454976862 100644
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
@@ -4,7 +4,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (intermediary)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
index f0a77bccd7..cc2cbd8359 100644
--- a/rhel7/profiles/anssi_nt28_minimal.profile
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (minimal)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
index 411f0c03aa..846ace9002 100644
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (enhanced)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index d9147b2dd0..e4db830291 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -3,7 +3,7 @@ documentation_complete: false
title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
index 6dcd2b8ef2..a9e0442257 100644
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (intermediary)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
index 54e8cbd5a6..090b571bb6 100644
--- a/rhel8/profiles/anssi_bp28_minimal.profile
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (minimal)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
From c4b11df5dabe389129f3cbc8a5bd9444fce09850 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 5 Feb 2021 16:05:07 +0100
Subject: [PATCH 5/5] Fix single quote in ANSSI name
Previously the description was enclosed in single quotes, requiring a
single quote to be escaped.
Now the description is not enclosed in single quotes and there is no
need to escape it.
---
rhel7/profiles/anssi_nt28_enhanced.profile | 2 +-
rhel7/profiles/anssi_nt28_high.profile | 2 +-
rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
rhel7/profiles/anssi_nt28_minimal.profile | 2 +-
rhel8/profiles/anssi_bp28_enhanced.profile | 2 +-
rhel8/profiles/anssi_bp28_high.profile | 2 +-
rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
rhel8/profiles/anssi_bp28_minimal.profile | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
index 846ace9002..bbc11353f3 100644
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
index e4db830291..22efad9c09 100644
--- a/rhel7/profiles/anssi_nt28_high.profile
+++ b/rhel7/profiles/anssi_nt28_high.profile
@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
index 4454976862..0c43ab8d73 100644
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
@@ -6,7 +6,7 @@ title: 'ANSSI-BP-028 (intermediary)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
index cc2cbd8359..480333747c 100644
--- a/rhel7/profiles/anssi_nt28_minimal.profile
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
index 846ace9002..bbc11353f3 100644
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index e4db830291..22efad9c09 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
index a9e0442257..a592031673 100644
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (intermediary)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
index 090b571bb6..cef8394114 100644
--- a/rhel8/profiles/anssi_bp28_minimal.profile
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:

89
SOURCES/scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch Normal file
View File

@ -0,0 +1,89 @@
From ce6a307518c55b333897f5c130f5372dee9eeae8 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 18 Jan 2021 11:18:43 +0100
Subject: [PATCH] Update metadata for a few miminal and intermediary
requirements
---
controls/anssi.yml | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index dec9d68c99..9288ac1663 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -506,7 +506,10 @@ controls:
- id: R27
title: Disabling service accounts
level: intermediary
- # rules: TBD
+ notes: >-
+ It is difficult to generally identify the system's service accounts.
+ Assisting rules could list users which are not disabled for manual review.
+ automated: no
- id: R28
level: enhanced
@@ -530,7 +533,10 @@ controls:
- id: R30
level: minimal
title: Applications using PAM
- # rules: TBD
+ notes: >-
+ Manual review is necessary to decide if the list of applications using PAM is minimal.
+ Asssising rules could be created to list all applications using PAM for manual review.
+ automated: no
- id: R31
title: Securing PAM Authentication Network Services
@@ -580,6 +586,7 @@ controls:
- id: R36
title: Rights to access sensitive content files
level: intermediary
+ automated: yes
rules:
- file_owner_etc_shadow
- file_permissions_etc_shadow
@@ -637,7 +644,10 @@ controls:
- id: R42
level: minimal
title: In memory services and daemons
- # rules: TBD
+ notes: >-
+ Manual review is necessary to decide if the list of resident daemons is minimal.
+ Asssising rules could be created to list sevices listening on the network for manual review.
+ automated: no
- id: R43
title: Hardening and configuring the syslog
@@ -709,6 +719,7 @@ controls:
- id: R48
level: intermediary
title: Configuring the local messaging service
+ automated: yes
rules:
- postfix_network_listening_disabled
@@ -825,6 +836,7 @@ controls:
level: intermediary
title: Privileges of target sudo users
description: The targeted users of a rule should be, as much as possible, non privileged users.
+ automated: yes
rules:
- sudoers_no_root_target
@@ -840,12 +852,14 @@ controls:
level: intermediary
title: Good use of negation in a sudoers file
description: The sudoers configuration rules should not involve negation.
+ automated: yes
rules:
- sudoers_no_command_negation
- id: R63
level: intermediary
title: Explicit arguments in sudo specifications
+ automated: yes
rules:
- sudoers_explicit_command_args

352
SOURCES/scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch Normal file
View File

@ -0,0 +1,352 @@
From cbede36c7a4e35cb882c35892cff72f9f190cbf9 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Mon, 8 Feb 2021 15:57:43 +0100
Subject: [PATCH 1/5] Add nodev,nosuid,noexec options to /boot in ANSSI
kickstart
---
rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 2 +-
rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +-
rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 2 +-
rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 2 +-
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 2 +-
rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
index 1d35bedb91..c381512476 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
@@ -99,7 +99,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
index 73225c2fab..a672b38b83 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
@@ -103,7 +103,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
index 20c4c59a78..88a7cee8ab 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
@@ -99,7 +99,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
index 728946ecb7..6f66a3774b 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -90,7 +90,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
index cd0eff2625..b5c09253a5 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -94,7 +94,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
index 3a241b06f4..fb785e0c11 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
@@ -90,7 +90,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
From 15be64cc2d6c21b0351bb8d3d1b55b1924be99ca Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Tue, 9 Feb 2021 12:45:34 +0100
Subject: [PATCH 2/5] Add mount_option_nodev_nonroot_local_partitions bash
remediation
---
.../bash/shared.sh | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
new file mode 100644
index 0000000000..7e2b3bd76b
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
@@ -0,0 +1,18 @@
+# platform = multi_platform_all
+. /usr/share/scap-security-guide/remediation_functions
+
+include_mount_options_functions
+
+MOUNT_OPTION="nodev"
+# Create array of local non-root partitions
+readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep "\s/dev/\w")
+
+for partition_record in "${partitions_records[@]}"; do
+ # Get all important information for fstab
+ mount_point="$(echo ${partition_record} | cut -d " " -f1)"
+ device="$(echo ${partition_record} | cut -d " " -f2)"
+ device_type="$(echo ${partition_record} | cut -d " " -f3)"
+ # device and device_type will be used only in case when the device doesn't have fstab record
+ ensure_mount_option_in_fstab "$mount_point" "$MOUNT_OPTION" "$device" "$device_type"
+ ensure_partition_is_mounted "$mount_point"
+done
From 36958b72896a69cb580f00a986673c8ae99cb011 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Tue, 9 Feb 2021 12:45:54 +0100
Subject: [PATCH 3/5] Add mount_option_nodev_nonroot_local_partitions test
scenarios
---
.../tests/correct.pass.sh | 23 +++++++++++++++++
.../local_mounted_during_runtime.fail.sh | 19 ++++++++++++++
.../tests/missing_multiple_nodev.fail.sh | 23 +++++++++++++++++
.../tests/missing_one_nodev.fail.sh | 23 +++++++++++++++++
.../tests/remote_without_nodev.pass.sh | 25 +++++++++++++++++++
5 files changed, 113 insertions(+)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
new file mode 100644
index 0000000000..8bfac4b80f
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+ mount -o remount "$partition"
+done
+
+PARTITION="/dev/new_partition1"; create_partition
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
+mount_partition "/tmp/partition1"
+
+PARTITION="/dev/new_partition2"; create_partition
+make_fstab_given_partition_line "/tmp/partition2" ext2 nodev
+mount_partition "/tmp/partition2"
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
new file mode 100644
index 0000000000..84cadd6f73
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+ mount -o remount "$partition"
+done
+
+PARTITION="/dev/new_partition1"; create_partition
+mkdir /tmp/test_dir
+mount $PARTITION /tmp/test_dir
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
new file mode 100644
index 0000000000..7a09093f46
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+ mount -o remount "$partition"
+done
+
+PARTITION="/dev/new_partition1"; create_partition
+make_fstab_given_partition_line "/tmp/partition1" ext2
+mount_partition "/tmp/partition1"
+
+PARTITION="/dev/new_partition2"; create_partition
+make_fstab_given_partition_line "/tmp/partition2" ext2
+mount_partition "/tmp/partition2"
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
new file mode 100644
index 0000000000..c20a98bdcc
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+ mount -o remount "$partition"
+done
+
+PARTITION="/dev/new_partition1"; create_partition
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
+mount_partition "/tmp/partition1"
+
+PARTITION="/dev/new_partition2"; create_partition
+make_fstab_given_partition_line "/tmp/partition2" ext2
+mount_partition "/tmp/partition2"
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
new file mode 100644
index 0000000000..a95410526f
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# packages = nfs-utils
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+ mount -o remount "$partition"
+done
+
+mkdir /tmp/testdir
+mkdir /tmp/testmount
+chown 2 /tmp/testdir
+chmod 777 /tmp/testdir
+
+echo '/tmp/testdir localhost(rw)' > /etc/exports
+systemctl restart nfs-server
+mount.nfs localhost:/tmp/testdir /tmp/testmount
From b7bec83d7a3ad186413777f70fe2b5d20e01e56b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Feb 2021 18:32:26 +0100
Subject: [PATCH 4/5] Add Ansible for
mount_option_nodev_nonroot_local_partitions
The remediation metadata were inspired by the template mount_options
---
.../ansible/shared.yml | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
new file mode 100644
index 0000000000..8530604308
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
@@ -0,0 +1,18 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = high
+
+- name: Ensure non-root local partitions are mounted with nodev option
+ mount:
+ path: "{{ item.mount }}"
+ src: "{{ item.device}}"
+ opts: "{{ item.options }},nodev"
+ state: "mounted"
+ fstype: "{{ item.fstype }}"
+ when:
+ - "item.mount is match('/\\w')"
+ - "item.options is not search('nodev')"
+ with_items:
+ - "{{ ansible_facts.mounts }}"
From dab22894ca0798dde27c77704a7fd34d62d77f8f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Feb 2021 20:29:32 +0100
Subject: [PATCH 5/5] Add space before and after variable
---
.../ansible/shared.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
index 8530604308..2aa9a53e4d 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
@@ -7,7 +7,7 @@
- name: Ensure non-root local partitions are mounted with nodev option
mount:
path: "{{ item.mount }}"
- src: "{{ item.device}}"
+ src: "{{ item.device }}"
opts: "{{ item.options }},nodev"
state: "mounted"
fstype: "{{ item.fstype }}"

1711
SOURCES/scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch Normal file
View File

File diff suppressed because it is too large Load Diff

140
SPECS/scap-security-guide.spec
View File

@ -1,26 +1,48 @@
# Base name of static rhel6 content tarball
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
Name: scap-security-guide Name: scap-security-guide
Version: 0.1.50 Version: 0.1.54
Release: 6%{?dist} Release: 5%{?dist}
Summary: Security guidance and baselines in SCAP formats Summary: Security guidance and baselines in SCAP formats
Group: Applications/System Group: Applications/System
License: BSD License: BSD
URL: https://github.com/ComplianceAsCode/content/ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Include tarball with last released rhel6 content
Source1: %{_static_rhel6_content}.tar.bz2
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream # Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch Patch1: scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff
Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch Patch2: scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch
Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch Patch3: scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch
Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch Patch4: scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch
Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch Patch5: scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch
# Patch6 already contains typo fix Patch6: scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch
Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch Patch7: scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch
Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch Patch8: scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch
Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch Patch9: scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch
Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch Patch10: scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch
Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch Patch11: scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch
Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch Patch12: scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch
Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch Patch13: scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch
Patch14: scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch
Patch15: scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch
Patch16: scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch
Patch17: scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch
Patch18: scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch
Patch19: scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch
Patch20: scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch
Patch21: scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch
Patch22: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r1_update-PR_6538.patch
Patch23: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r2_update-PR_6607.patch
Patch24: scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch
Patch25: scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch
Patch26: scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch
Patch27: scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch
# Untill ANSSI High profile is shipped we drop the ks too
Patch28: remove-ANSSI-high-ks.patch
BuildArch: noarch BuildArch: noarch
# To get python3 inside the buildroot require its path explicitly in BuildRequires # To get python3 inside the buildroot require its path explicitly in BuildRequires
@ -53,7 +75,7 @@ hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package. present in %{name} package.
%prep %prep
%setup -q %setup -q -b 1
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
@ -67,13 +89,28 @@ present in %{name} package.
%patch10 -p1 %patch10 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1 %patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
mkdir build mkdir build
%build %build
cd build cd build
%cmake \ %cmake \
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \ -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
-DSSG_PRODUCT_RHEL6:BOOLEAN=TRUE \
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \ -DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \ -DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \ -DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
@ -86,6 +123,11 @@ cd build
cd build cd build
%make_install %make_install
# Manually install pre-built rhel6 content
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
%files %files
%{_datadir}/xml/scap/ssg/content %{_datadir}/xml/scap/ssg/content
%{_datadir}/%{name}/kickstart %{_datadir}/%{name}/kickstart
@ -101,6 +143,70 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html %doc %{_docdir}/%{name}/tables/*.html
%changelog %changelog
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
- Remove Kickstart for not shipped profile (RHBZ#1778188)
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
- Update to the latest upstream release (RHBZ#1889344)
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
- Update list of profiles built (RHBZ#1889344)
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
- Update to the latest upstream release (RHBZ#1889344)
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
- remove rationale from rules that contain defective links (rhbz#1854854)
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
- fixed link in a grub2 rule description (rhbz#1854854)
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
- Update the scapval invocation (RHBZ#1815007)
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
- Change the spec file macro invocation from patch to Patch
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
- fix description of HIPAA profile (RHBZ#1867559)
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
- Remove CCM from TLS Ciphersuites
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6 * Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
- Fix rsyslog permissions/ownership rules (RHBZ#1781606) - Fix rsyslog permissions/ownership rules (RHBZ#1781606)