import scap-security-guide-0.1.54-5.el8
This commit is contained in:
parent
82da654d43
commit
9aab723dde
3
.gitignore
vendored
3
.gitignore
vendored
@ -1 +1,2 @@
|
||||
SOURCES/scap-security-guide-0.1.50.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.54.tar.bz2
|
||||
|
@ -1 +1,2 @@
|
||||
1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2
|
||||
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
9c53524d1f6741913b19394fad9216f25f3ae05d SOURCES/scap-security-guide-0.1.54.tar.bz2
|
||||
|
@ -1,25 +1,24 @@
|
||||
From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001
|
||||
From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 17 Jan 2020 19:01:22 +0100
|
||||
Date: Thu, 3 Dec 2020 14:35:47 +0100
|
||||
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
|
||||
|
||||
They raise too many errors and fails.
|
||||
Also disable tables for profiles that are not built.
|
||||
---
|
||||
rhel8/CMakeLists.txt | 2 --
|
||||
rhel8/CMakeLists.txt | 6 ------
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
rhel8/profiles/cjis.profile | 2 +-
|
||||
rhel8/profiles/cui.profile | 2 +-
|
||||
rhel8/profiles/ism_o.profile | 2 +-
|
||||
rhel8/profiles/rhelh-stig.profile | 2 +-
|
||||
rhel8/profiles/rhelh-vpp.profile | 2 +-
|
||||
rhel8/profiles/rht-ccp.profile | 2 +-
|
||||
rhel8/profiles/standard.profile | 2 +-
|
||||
9 files changed, 8 insertions(+), 10 deletions(-)
|
||||
11 files changed, 10 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
|
||||
index 40f2b2b0f..492a8dae1 100644
|
||||
index d61689c97..5e444a101 100644
|
||||
--- a/rhel8/CMakeLists.txt
|
||||
+++ b/rhel8/CMakeLists.txt
|
||||
@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
|
||||
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
|
||||
ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
|
||||
ssg_build_html_table_by_ref(${PRODUCT} "anssi")
|
||||
|
||||
@ -27,28 +26,44 @@ index 40f2b2b0f..492a8dae1 100644
|
||||
ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
|
||||
ssg_build_html_nistrefs_table(${PRODUCT} "stig")
|
||||
|
||||
# Uncomment when anssi profiles are marked documentation_complete: true
|
||||
#ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal")
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
|
||||
-
|
||||
ssg_build_html_cce_table(${PRODUCT})
|
||||
|
||||
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index ccad93d67..6a854378c 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'ANSSI BP-028 (high)'
|
||||
|
||||
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
|
||||
index 05ea9cdd6..9c55ac5b1 100644
|
||||
index 035d2705b..c6475f33e 100644
|
||||
--- a/rhel8/profiles/cjis.profile
|
||||
+++ b/rhel8/profiles/cjis.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'Criminal Justice Information Services (CJIS) Security Policy'
|
||||
|
||||
diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile
|
||||
index eb62252a4..e8f369708 100644
|
||||
--- a/rhel8/profiles/cui.profile
|
||||
+++ b/rhel8/profiles/cui.profile
|
||||
metadata:
|
||||
version: 5.4
|
||||
diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile
|
||||
index a3c427c01..4605dea3b 100644
|
||||
--- a/rhel8/profiles/ism_o.profile
|
||||
+++ b/rhel8/profiles/ism_o.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
|
||||
|
||||
metadata:
|
||||
SMEs:
|
||||
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
|
||||
index 1efca5f44..c3d0b0964 100644
|
||||
--- a/rhel8/profiles/rhelh-stig.profile
|
||||
@ -90,5 +105,5 @@ index a63ae2cf3..da669bb84 100644
|
||||
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
|
||||
|
||||
--
|
||||
2.21.1
|
||||
2.26.2
|
||||
|
||||
|
187
SOURCES/remove-ANSSI-high-ks.patch
Normal file
187
SOURCES/remove-ANSSI-high-ks.patch
Normal file
@ -0,0 +1,187 @@
|
||||
From 8e43a6a6432a8cbeb5742771ddbd0856669a7878 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 17 Feb 2021 15:36:59 +0100
|
||||
Subject: [PATCH] Remove kickstart for profile not shipped
|
||||
|
||||
RHEL-8 ANSSI high is not shipped at the momment
|
||||
---
|
||||
.../ssg-rhel8-anssi_bp28_high-ks.cfg | 167 ------------------
|
||||
1 file changed, 167 deletions(-)
|
||||
delete mode 100644 rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
deleted file mode 100644
|
||||
index b5c09253a..000000000
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ /dev/null
|
||||
@@ -1,167 +0,0 @@
|
||||
-# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8
|
||||
-# Version: 0.0.1
|
||||
-# Date: 2020-12-10
|
||||
-#
|
||||
-# Based on:
|
||||
-# https://pykickstart.readthedocs.io/en/latest/
|
||||
-# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
-
|
||||
-# Specify installation method to use for installation
|
||||
-# To use a different one comment out the 'url' one below, update
|
||||
-# the selected choice with proper options & un-comment it
|
||||
-#
|
||||
-# Install from an installation tree on a remote server via FTP or HTTP:
|
||||
-# --url the URL to install from
|
||||
-#
|
||||
-# Example:
|
||||
-#
|
||||
-# url --url=http://192.168.122.1/image
|
||||
-#
|
||||
-# Modify concrete URL in the above example appropriately to reflect the actual
|
||||
-# environment machine is to be installed in
|
||||
-#
|
||||
-# Other possible / supported installation methods:
|
||||
-# * install from the first CD-ROM/DVD drive on the system:
|
||||
-#
|
||||
-# cdrom
|
||||
-#
|
||||
-# * install from a directory of ISO images on a local drive:
|
||||
-#
|
||||
-# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||
-#
|
||||
-# * install from provided NFS server:
|
||||
-#
|
||||
-# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||
-#
|
||||
-# Set language to use during installation and the default language to use on the installed system (required)
|
||||
-lang en_US.UTF-8
|
||||
-
|
||||
-# Set system keyboard type / layout (required)
|
||||
-keyboard us
|
||||
-
|
||||
-# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||
-# --onboot enable device at a boot time
|
||||
-# --device device to be activated and / or configured with the network command
|
||||
-# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||
-# --noipv6 disable IPv6 on this device
|
||||
-#
|
||||
-# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
||||
-# "--bootproto=static" must be used. For example:
|
||||
-# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
-#
|
||||
-network --onboot yes --bootproto dhcp --noipv6
|
||||
-
|
||||
-# Set the system's root password (required)
|
||||
-# Plaintext password is: server
|
||||
-# Refer to e.g.
|
||||
-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
-# to see how to create encrypted password form for different plaintext password
|
||||
-rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
|
||||
-
|
||||
-# The selected profile will restrict root login
|
||||
-# Add a user that can login and escalate privileges
|
||||
-# Plaintext password is: admin123
|
||||
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
-
|
||||
-# Configure firewall settings for the system (optional)
|
||||
-# --enabled reject incoming connections that are not in response to outbound requests
|
||||
-# --ssh allow sshd service through the firewall
|
||||
-firewall --enabled --ssh
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
-# Set the system time zone (required)
|
||||
-timezone --utc America/New_York
|
||||
-
|
||||
-# Specify how the bootloader should be installed (required)
|
||||
-# Plaintext password is: password
|
||||
-# Refer to e.g.
|
||||
-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
-# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
-
|
||||
-# Initialize (format) all disks (optional)
|
||||
-zerombr
|
||||
-
|
||||
-# The following partition layout scheme assumes disk of size 20GB or larger
|
||||
-# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||
-#
|
||||
-# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||
-# --linux erase all Linux partitions
|
||||
-# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||
-clearpart --linux --initlabel
|
||||
-
|
||||
-# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
-part pv.01 --grow --size=1
|
||||
-
|
||||
-# Create a Logical Volume Management (LVM) group (optional)
|
||||
-volgroup VolGroup --pesize=4096 pv.01
|
||||
-
|
||||
-# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
-# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
-# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /tmp Located On Separate Partition
|
||||
-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/tmp Located On Separate Partition
|
||||
-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
-# Ensure /var/log Located On Separate Partition
|
||||
-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/log/audit Located On Separate Partition
|
||||
-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
-logvol swap --name=swap --vgname=VolGroup --size=2016
|
||||
-
|
||||
-# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
|
||||
-# content - security policies - on the installed system.This add-on has been enabled by default
|
||||
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
|
||||
-# functionality will automatically be installed. However, by default, no policies are enforced,
|
||||
-# meaning that no checks are performed during or after installation unless specifically configured.
|
||||
-#
|
||||
-# Important
|
||||
-# Applying a security policy is not necessary on all systems. This screen should only be used
|
||||
-# when a specific policy is mandated by your organization rules or government regulations.
|
||||
-# Unlike most other commands, this add-on does not accept regular options, but uses key-value
|
||||
-# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
|
||||
-# Values can be optionally enclosed in single quotes (') or double quotes (").
|
||||
-#
|
||||
-# The following keys are recognized by the add-on:
|
||||
-# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
|
||||
-# - If the content-type is scap-security-guide, the add-on will use content provided by the
|
||||
-# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
|
||||
-# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
|
||||
-# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
|
||||
-# xccdf-id - ID of the benchmark you want to use.
|
||||
-# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
|
||||
-# profile - ID of the profile to be applied. Use default to apply the default profile.
|
||||
-# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
|
||||
-# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
|
||||
-#
|
||||
-# The following is an example %addon org_fedora_oscap section which uses content from the
|
||||
-# scap-security-guide on the installation media:
|
||||
-%addon org_fedora_oscap
|
||||
- content-type = scap-security-guide
|
||||
- profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high
|
||||
-%end
|
||||
-
|
||||
-# Packages selection (%packages section is required)
|
||||
-%packages
|
||||
-
|
||||
-# Require @Base
|
||||
-@Base
|
||||
-
|
||||
-%end # End of %packages section
|
||||
-
|
||||
-# Reboot after the installation is complete (optional)
|
||||
-# --eject attempt to eject CD or DVD media before rebooting
|
||||
-reboot --eject
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,71 +0,0 @@
|
||||
From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 12 May 2020 08:17:20 +0200
|
||||
Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 33 +++++++++++++++++++
|
||||
1 file changed, 33 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..5d76b3c073
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
|
||||
@@ -0,0 +1,33 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Configure daily log rotation in /etc/logrotate.conf
|
||||
+ lineinfile:
|
||||
+ create: yes
|
||||
+ dest: "/etc/logrotate.conf"
|
||||
+ regexp: "^daily$"
|
||||
+ line: "daily"
|
||||
+
|
||||
+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf
|
||||
+ lineinfile:
|
||||
+ create: no
|
||||
+ dest: "/etc/logrotate.conf"
|
||||
+ regexp: "^(weekly|monthly|yearly)$"
|
||||
+ state: absent
|
||||
+
|
||||
+- name: Configure cron.daily if not already
|
||||
+ block:
|
||||
+ - name: Add shebang
|
||||
+ lineinfile:
|
||||
+ path: "/etc/cron.daily/logrotate"
|
||||
+ line: "#!/bin/sh"
|
||||
+ insertbefore: BOF
|
||||
+ create: yes
|
||||
+ - name: Add logrotate call
|
||||
+ lineinfile:
|
||||
+ path: "/etc/cron.daily/logrotate"
|
||||
+ line: '/usr/sbin/logrotate /etc/logrotate.conf'
|
||||
+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
|
||||
|
||||
From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 12 May 2020 14:48:15 +0200
|
||||
Subject: [PATCH 2/2] Add test for ensure_logrotate_activated
|
||||
|
||||
Test scenario when monthly is there, but weekly is not.
|
||||
---
|
||||
.../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b10362989b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+sed -i "s/weekly/daily/g" /etc/logrotate.conf
|
||||
+echo "monthly" >> /etc/logrotate.conf
|
@ -1,115 +0,0 @@
|
||||
From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 13 May 2020 20:49:08 +0200
|
||||
Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions
|
||||
|
||||
---
|
||||
.../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++
|
||||
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++
|
||||
2 files changed, 22 insertions(+)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a816eea390
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_cis
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+
|
||||
+#!/bin/bash
|
||||
+SSHD_CONFIG="/etc/ssh/sshd_config"
|
||||
+
|
||||
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
||||
+ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
|
||||
+ else
|
||||
+ echo "MaxSessions 4" >> $SSHD_CONFIG
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b36125f5bb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_cis
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+
|
||||
+#!/bin/bash
|
||||
+SSHD_CONFIG="/etc/ssh/sshd_config"
|
||||
+
|
||||
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
||||
+ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
|
||||
+ else
|
||||
+ echo "MaxSessions 10" >> $SSHD_CONFIG
|
||||
+fi
|
||||
|
||||
From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 13 May 2020 20:53:50 +0200
|
||||
Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions
|
||||
|
||||
---
|
||||
.../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++
|
||||
.../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++
|
||||
.../tests/correct_value.pass.sh | 2 +-
|
||||
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +-
|
||||
4 files changed, 22 insertions(+), 2 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..a7e171dfe9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
|
||||
@@ -0,0 +1,8 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+- (xccdf-var var_sshd_max_sessions)
|
||||
+
|
||||
+{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}}
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..fc0a1d8b42
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+# Include source function library.
|
||||
+. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
+populate var_sshd_max_sessions
|
||||
+
|
||||
+{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
index a816eea390..4cc6d65988 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
|
||||
if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
||||
sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
|
||||
else
|
||||
- echo "MaxSessions 4" >> $SSHD_CONFIG
|
||||
+ echo "MaxSessions 4" >> $SSHD_CONFIG
|
||||
fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
index b36125f5bb..bc0c47842a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
|
||||
if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
||||
sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
|
||||
else
|
||||
- echo "MaxSessions 10" >> $SSHD_CONFIG
|
||||
+ echo "MaxSessions 10" >> $SSHD_CONFIG
|
||||
fi
|
@ -1,147 +0,0 @@
|
||||
From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 11:52:35 +0200
|
||||
Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line
|
||||
|
||||
Very likey a copy-pasta error from bash remediation for
|
||||
audit_rules_immutable
|
||||
---
|
||||
.../audit_rules_system_shutdown/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
index 1c9748ce9b..b56513cdcd 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
@@ -8,7 +8,7 @@
|
||||
# files to check if '-f .*' setting is present in that '*.rules' file already.
|
||||
# If found, delete such occurrence since auditctl(8) manual page instructs the
|
||||
# '-f 2' rule should be placed as the last rule in the configuration
|
||||
-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
|
||||
+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
|
||||
|
||||
# Append '-f 2' requirement at the end of both:
|
||||
# * /etc/audit/audit.rules file (for auditctl case)
|
||||
|
||||
From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 12:12:21 +0200
|
||||
Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown
|
||||
|
||||
Along with very basic test scenarios
|
||||
---
|
||||
.../ansible/shared.yml | 28 +++++++++++++++++++
|
||||
.../tests/augen_correct.pass.sh | 4 +++
|
||||
.../tests/augen_e_2_immutable.fail.sh | 3 ++
|
||||
3 files changed, 35 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
|
||||
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..b9e8fa87fa
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
|
||||
@@ -0,0 +1,28 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = true
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Collect all files from /etc/audit/rules.d with .rules extension
|
||||
+ find:
|
||||
+ paths: "/etc/audit/rules.d/"
|
||||
+ patterns: "*.rules"
|
||||
+ register: find_rules_d
|
||||
+
|
||||
+- name: Remove the -f option from all Audit config files
|
||||
+ lineinfile:
|
||||
+ path: "{{ item }}"
|
||||
+ regexp: '^\s*(?:-f)\s+.*$'
|
||||
+ state: absent
|
||||
+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
|
||||
+
|
||||
+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
|
||||
+ lineinfile:
|
||||
+ path: "{{ item }}"
|
||||
+ create: True
|
||||
+ line: "-f 2"
|
||||
+ loop:
|
||||
+ - "/etc/audit/audit.rules"
|
||||
+ - "/etc/audit/rules.d/immutable.rules"
|
||||
+
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..0587b937e0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
|
||||
+echo "-f 2" >> /etc/audit/rules.d/immutable.rules
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..fa5b7231df
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
|
||||
|
||||
From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 14:06:08 +0200
|
||||
Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name
|
||||
|
||||
---
|
||||
.../audit_rules_immutable/ansible/shared.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
|
||||
index 5ac7b3dabb..1cafb744cc 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
|
||||
@@ -17,7 +17,7 @@
|
||||
state: absent
|
||||
loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
|
||||
|
||||
-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
|
||||
+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
|
||||
lineinfile:
|
||||
path: "{{ item }}"
|
||||
create: True
|
||||
|
||||
From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 19 May 2020 11:02:56 +0200
|
||||
Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix
|
||||
|
||||
---
|
||||
.../audit_rules_system_shutdown/bash/shared.sh | 8 --------
|
||||
1 file changed, 8 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
index b56513cdcd..a349bb1ca1 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
@@ -4,16 +4,8 @@
|
||||
#
|
||||
# /etc/audit/audit.rules, (for auditctl case)
|
||||
# /etc/audit/rules.d/*.rules (for augenrules case)
|
||||
-#
|
||||
-# files to check if '-f .*' setting is present in that '*.rules' file already.
|
||||
-# If found, delete such occurrence since auditctl(8) manual page instructs the
|
||||
-# '-f 2' rule should be placed as the last rule in the configuration
|
||||
find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
|
||||
|
||||
-# Append '-f 2' requirement at the end of both:
|
||||
-# * /etc/audit/audit.rules file (for auditctl case)
|
||||
-# * /etc/audit/rules.d/immutable.rules (for augenrules case)
|
||||
-
|
||||
for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
|
||||
do
|
||||
echo '' >> $AUDIT_FILE
|
@ -1,49 +0,0 @@
|
||||
From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 21 May 2020 18:16:43 +0200
|
||||
Subject: [PATCH] Attribute content to CIS
|
||||
|
||||
And update the description a bit.
|
||||
---
|
||||
rhel7/profiles/cis.profile | 8 +++++---
|
||||
rhel8/profiles/cis.profile | 8 +++++---
|
||||
2 files changed, 10 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
||||
index 0826a49547..829c388133 100644
|
||||
--- a/rhel7/profiles/cis.profile
|
||||
+++ b/rhel7/profiles/cis.profile
|
||||
@@ -3,9 +3,11 @@ documentation_complete: true
|
||||
title: 'CIS Red Hat Enterprise Linux 7 Benchmark'
|
||||
|
||||
description: |-
|
||||
- This baseline aligns to the Center for Internet Security
|
||||
- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released
|
||||
- 12-27-2017.
|
||||
+ This profile defines a baseline that aligns to the Center for Internet Security®
|
||||
+ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017.
|
||||
+
|
||||
+ This profile includes Center for Internet Security®
|
||||
+ Red Hat Enterprise Linux 7 CIS Benchmarks™ content.
|
||||
|
||||
selections:
|
||||
# Necessary for dconf rules
|
||||
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
|
||||
index f332ee5462..868b9f21a6 100644
|
||||
--- a/rhel8/profiles/cis.profile
|
||||
+++ b/rhel8/profiles/cis.profile
|
||||
@@ -3,9 +3,11 @@ documentation_complete: true
|
||||
title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
|
||||
|
||||
description: |-
|
||||
- This baseline aligns to the Center for Internet Security
|
||||
- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released
|
||||
- 09-30-2019.
|
||||
+ This profile defines a baseline that aligns to the Center for Internet Security®
|
||||
+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
|
||||
+
|
||||
+ This profile includes Center for Internet Security®
|
||||
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
|
||||
|
||||
selections:
|
||||
# Necessary for dconf rules
|
@ -1,274 +0,0 @@
|
||||
From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 25 May 2020 12:17:48 +0200
|
||||
Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8
|
||||
|
||||
---
|
||||
rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
|
||||
rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
|
||||
2 files changed, 250 insertions(+)
|
||||
create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
|
||||
create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
|
||||
new file mode 100644
|
||||
index 0000000000..14c82c4231
|
||||
--- /dev/null
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
|
||||
@@ -0,0 +1,125 @@
|
||||
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server
|
||||
+# Version: 0.0.1
|
||||
+# Date: 2020-05-25
|
||||
+#
|
||||
+# Based on:
|
||||
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
|
||||
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
|
||||
+
|
||||
+# Install a fresh new system (optional)
|
||||
+install
|
||||
+
|
||||
+# Specify installation method to use for installation
|
||||
+# To use a different one comment out the 'url' one below, update
|
||||
+# the selected choice with proper options & un-comment it
|
||||
+#
|
||||
+# Install from an installation tree on a remote server via FTP or HTTP:
|
||||
+# --url the URL to install from
|
||||
+#
|
||||
+# Example:
|
||||
+#
|
||||
+# url --url=http://192.168.122.1/image
|
||||
+#
|
||||
+# Modify concrete URL in the above example appropriately to reflect the actual
|
||||
+# environment machine is to be installed in
|
||||
+#
|
||||
+# Other possible / supported installation methods:
|
||||
+# * install from the first CD-ROM/DVD drive on the system:
|
||||
+#
|
||||
+# cdrom
|
||||
+#
|
||||
+# * install from a directory of ISO images on a local drive:
|
||||
+#
|
||||
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||
+#
|
||||
+# * install from provided NFS server:
|
||||
+#
|
||||
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||
+#
|
||||
+
|
||||
+# Set language to use during installation and the default language to use on the installed system (required)
|
||||
+lang en_US.UTF-8
|
||||
+
|
||||
+# Set system keyboard type / layout (required)
|
||||
+keyboard us
|
||||
+
|
||||
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||
+# --onboot enable device at a boot time
|
||||
+# --device device to be activated and / or configured with the network command
|
||||
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||
+# --noipv6 disable IPv6 on this device
|
||||
+#
|
||||
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
||||
+# "--bootproto=static" must be used. For example:
|
||||
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
+#
|
||||
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||
+
|
||||
+# Set the system's root password (required)
|
||||
+# Plaintext password is: server
|
||||
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||
+# encrypted password form for different plaintext password
|
||||
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
|
||||
+
|
||||
+# The selected profile will restrict root login
|
||||
+# Add a user that can login and escalate privileges
|
||||
+# Plaintext password is: admin123
|
||||
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
+
|
||||
+# Configure firewall settings for the system (optional)
|
||||
+# --enabled reject incoming connections that are not in response to outbound requests
|
||||
+# --ssh allow sshd service through the firewall
|
||||
+firewall --enabled --ssh
|
||||
+
|
||||
+# Set up the authentication options for the system (required)
|
||||
+# --enableshadow enable shadowed passwords by default
|
||||
+# --passalgo hash / crypt algorithm for new passwords
|
||||
+# See the manual page for authconfig for a complete list of possible options.
|
||||
+authconfig --enableshadow --passalgo=sha512
|
||||
+
|
||||
+# State of SELinux on the installed system (optional)
|
||||
+# Defaults to enforcing
|
||||
+selinux --enforcing
|
||||
+
|
||||
+# Set the system time zone (required)
|
||||
+timezone --utc America/New_York
|
||||
+
|
||||
+# Specify how the bootloader should be installed (required)
|
||||
+# Plaintext password is: password
|
||||
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||
+# encrypted password form for different plaintext password
|
||||
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
|
||||
+
|
||||
+# Initialize (format) all disks (optional)
|
||||
+zerombr
|
||||
+
|
||||
+# The following partition layout scheme assumes disk of size 20GB or larger
|
||||
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||
+#
|
||||
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||
+# --linux erase all Linux partitions
|
||||
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||
+clearpart --linux --initlabel
|
||||
+
|
||||
+# Create primary system partitions (required for installs)
|
||||
+autopart
|
||||
+
|
||||
+# Harden installation with HIPAA profile
|
||||
+# For more details and configuration options see command %addon org_fedora_oscap in
|
||||
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
|
||||
+%addon org_fedora_oscap
|
||||
+ content-type = scap-security-guide
|
||||
+ profile = xccdf_org.ssgproject.content_profile_hipaa
|
||||
+%end
|
||||
+
|
||||
+# Packages selection (%packages section is required)
|
||||
+%packages
|
||||
+
|
||||
+# Require @Base
|
||||
+@Base
|
||||
+
|
||||
+%end # End of %packages section
|
||||
+
|
||||
+# Reboot after the installation is complete (optional)
|
||||
+# --eject attempt to eject CD or DVD media before rebooting
|
||||
+reboot --eject
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
|
||||
new file mode 100644
|
||||
index 0000000000..861db36f18
|
||||
--- /dev/null
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
|
||||
@@ -0,0 +1,125 @@
|
||||
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
|
||||
+# Version: 0.0.1
|
||||
+# Date: 2020-05-25
|
||||
+#
|
||||
+# Based on:
|
||||
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
|
||||
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
|
||||
+
|
||||
+# Install a fresh new system (optional)
|
||||
+install
|
||||
+
|
||||
+# Specify installation method to use for installation
|
||||
+# To use a different one comment out the 'url' one below, update
|
||||
+# the selected choice with proper options & un-comment it
|
||||
+#
|
||||
+# Install from an installation tree on a remote server via FTP or HTTP:
|
||||
+# --url the URL to install from
|
||||
+#
|
||||
+# Example:
|
||||
+#
|
||||
+# url --url=http://192.168.122.1/image
|
||||
+#
|
||||
+# Modify concrete URL in the above example appropriately to reflect the actual
|
||||
+# environment machine is to be installed in
|
||||
+#
|
||||
+# Other possible / supported installation methods:
|
||||
+# * install from the first CD-ROM/DVD drive on the system:
|
||||
+#
|
||||
+# cdrom
|
||||
+#
|
||||
+# * install from a directory of ISO images on a local drive:
|
||||
+#
|
||||
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||
+#
|
||||
+# * install from provided NFS server:
|
||||
+#
|
||||
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||
+#
|
||||
+
|
||||
+# Set language to use during installation and the default language to use on the installed system (required)
|
||||
+lang en_US.UTF-8
|
||||
+
|
||||
+# Set system keyboard type / layout (required)
|
||||
+keyboard us
|
||||
+
|
||||
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||
+# --onboot enable device at a boot time
|
||||
+# --device device to be activated and / or configured with the network command
|
||||
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||
+# --noipv6 disable IPv6 on this device
|
||||
+#
|
||||
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
||||
+# "--bootproto=static" must be used. For example:
|
||||
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
+#
|
||||
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||
+
|
||||
+# Set the system's root password (required)
|
||||
+# Plaintext password is: server
|
||||
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||
+# encrypted password form for different plaintext password
|
||||
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
|
||||
+
|
||||
+# The selected profile will restrict root login
|
||||
+# Add a user that can login and escalate privileges
|
||||
+# Plaintext password is: admin123
|
||||
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
+
|
||||
+# Configure firewall settings for the system (optional)
|
||||
+# --enabled reject incoming connections that are not in response to outbound requests
|
||||
+# --ssh allow sshd service through the firewall
|
||||
+firewall --enabled --ssh
|
||||
+
|
||||
+# Set up the authentication options for the system (required)
|
||||
+# sssd profile sets sha512 to hash passwords
|
||||
+# passwords are shadowed by default
|
||||
+# See the manual page for authselect-profile for a complete list of possible options.
|
||||
+authselect select sssd
|
||||
+
|
||||
+# State of SELinux on the installed system (optional)
|
||||
+# Defaults to enforcing
|
||||
+selinux --enforcing
|
||||
+
|
||||
+# Set the system time zone (required)
|
||||
+timezone --utc America/New_York
|
||||
+
|
||||
+# Specify how the bootloader should be installed (required)
|
||||
+# Plaintext password is: password
|
||||
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||
+# encrypted password form for different plaintext password
|
||||
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
|
||||
+
|
||||
+# Initialize (format) all disks (optional)
|
||||
+zerombr
|
||||
+
|
||||
+# The following partition layout scheme assumes disk of size 20GB or larger
|
||||
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||
+#
|
||||
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||
+# --linux erase all Linux partitions
|
||||
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||
+clearpart --linux --initlabel
|
||||
+
|
||||
+# Create primary system partitions (required for installs)
|
||||
+autopart
|
||||
+
|
||||
+# Harden installation with HIPAA profile
|
||||
+# For more details and configuration options see
|
||||
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
|
||||
+%addon org_fedora_oscap
|
||||
+ content-type = scap-security-guide
|
||||
+ profile = xccdf_org.ssgproject.content_profile_hipaa
|
||||
+%end
|
||||
+
|
||||
+# Packages selection (%packages section is required)
|
||||
+%packages
|
||||
+
|
||||
+# Require @Base
|
||||
+@Base
|
||||
+
|
||||
+%end # End of %packages section
|
||||
+
|
||||
+# Reboot after the installation is complete (optional)
|
||||
+# --eject attempt to eject CD or DVD media before rebooting
|
||||
+reboot --eject
|
@ -1,76 +0,0 @@
|
||||
From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 22 May 2020 14:12:18 +0200
|
||||
Subject: [PATCH] Add missing CCEs for RHEL8
|
||||
|
||||
---
|
||||
.../password_storage/no_netrc_files/rule.yml | 1 +
|
||||
.../accounts_user_interactive_home_directory_exists/rule.yml | 1 +
|
||||
.../file_groupownership_home_directories/rule.yml | 1 +
|
||||
shared/references/cce-redhat-avail.txt | 3 ---
|
||||
4 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
|
||||
index 8547893201..1bd1f5742e 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel6: 27225-2
|
||||
cce@rhel7: 80211-6
|
||||
+ cce@rhel8: 83444-0
|
||||
cce@ocp4: 82667-7
|
||||
|
||||
references:
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
||||
index bedf3a0b19..e69bc9d736 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
||||
@@ -21,6 +21,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: 80529-1
|
||||
+ cce@rhel8: 83424-2
|
||||
|
||||
references:
|
||||
stigid@ol7: "020620"
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
index 1c5ac8d099..f931f6d160 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
@@ -20,6 +20,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: 80532-5
|
||||
+ cce@rhel8: 83434-1
|
||||
|
||||
references:
|
||||
stigid@ol7: "020650"
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 2f0d2a526b..45d03a2c1d 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -95,7 +95,6 @@ CCE-83411-9
|
||||
CCE-83421-8
|
||||
CCE-83422-6
|
||||
CCE-83423-4
|
||||
-CCE-83424-2
|
||||
CCE-83425-9
|
||||
CCE-83426-7
|
||||
CCE-83427-5
|
||||
@@ -105,7 +104,6 @@ CCE-83430-9
|
||||
CCE-83431-7
|
||||
CCE-83432-5
|
||||
CCE-83433-3
|
||||
-CCE-83434-1
|
||||
CCE-83435-8
|
||||
CCE-83436-6
|
||||
CCE-83437-4
|
||||
@@ -115,7 +113,6 @@ CCE-83440-8
|
||||
CCE-83441-6
|
||||
CCE-83442-4
|
||||
CCE-83443-2
|
||||
-CCE-83444-0
|
||||
CCE-83445-7
|
||||
CCE-83446-5
|
||||
CCE-83447-3
|
@ -1,103 +0,0 @@
|
||||
From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 May 2020 13:30:24 +0200
|
||||
Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
|
||||
|
||||
---
|
||||
.../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +-----
|
||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
||||
index e9a29a24d5..6fbb7c72a5 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
||||
@@ -3,13 +3,9 @@
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
-- name: Test for existence of /etc/securetty
|
||||
- stat:
|
||||
- path: /etc/securetty
|
||||
- register: securetty_empty
|
||||
+
|
||||
|
||||
- name: "Direct root Logins Not Allowed"
|
||||
copy:
|
||||
dest: /etc/securetty
|
||||
content: ""
|
||||
- when: securetty_empty.stat.size > 1
|
||||
|
||||
From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 May 2020 14:21:38 +0200
|
||||
Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
|
||||
|
||||
---
|
||||
shared/templates/template_ANSIBLE_sebool | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
|
||||
index 29f37081be..38d7c7c350 100644
|
||||
--- a/shared/templates/template_ANSIBLE_sebool
|
||||
+++ b/shared/templates/template_ANSIBLE_sebool
|
||||
@@ -13,11 +13,17 @@
|
||||
{{% else %}}
|
||||
- (xccdf-var var_{{{ SEBOOLID }}})
|
||||
|
||||
+{{% if product == "rhel8" %}}
|
||||
+- name: Ensure python3-libsemanage installed
|
||||
+ package:
|
||||
+ name: python3-libsemanage
|
||||
+ state: present
|
||||
+{{% else %}}
|
||||
- name: Ensure libsemanage-python installed
|
||||
package:
|
||||
name: libsemanage-python
|
||||
state: present
|
||||
-
|
||||
+{{% endif %}}
|
||||
- name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
|
||||
seboolean:
|
||||
name: {{{ SEBOOLID }}}
|
||||
|
||||
From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 May 2020 14:57:05 +0200
|
||||
Subject: [PATCH 3/3] add tests for no_direct_root_logins
|
||||
|
||||
---
|
||||
.../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++
|
||||
.../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++
|
||||
.../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++
|
||||
3 files changed, 9 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..17251f6a98
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+echo > /etc/securetty
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..c764814b26
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+rm -f /etc/securetty
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..43ac341e87
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+echo "something" > /etc/securetty
|
@ -1,308 +0,0 @@
|
||||
From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 26 May 2020 17:49:21 +0200
|
||||
Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation.
|
||||
|
||||
Affected rules:
|
||||
- selinux_policytype
|
||||
- selinux_state
|
||||
---
|
||||
.../selinux/selinux_policytype/ansible/shared.yml | 9 ++-------
|
||||
.../selinux/selinux_policytype/bash/shared.sh | 5 +++--
|
||||
.../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++
|
||||
.../selinux/selinux_state/ansible/shared.yml | 9 ++-------
|
||||
.../system/selinux/selinux_state/bash/shared.sh | 5 +++--
|
||||
.../selinux_state/tests/selinux_missing.fail.sh | 5 +++++
|
||||
.../tests/selinux_permissive.fail.sh | 10 ++++++++++
|
||||
shared/macros-ansible.jinja | 11 +++++++++++
|
||||
shared/macros-bash.jinja | 15 +++++++++++++++
|
||||
9 files changed, 61 insertions(+), 18 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
|
||||
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
index 5c70cc9f7f..9f8cf66dfb 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
@@ -3,11 +3,6 @@
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
- (xccdf-var var_selinux_policy_name)
|
||||
|
||||
-- name: "{{{ rule_title }}}"
|
||||
- lineinfile:
|
||||
- path: /etc/sysconfig/selinux
|
||||
- regexp: '^SELINUXTYPE='
|
||||
- line: "SELINUXTYPE={{ var_selinux_policy_name }}"
|
||||
- create: yes
|
||||
+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}}
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
index d0fbbf4446..2b5ce31b12 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
@@ -1,7 +1,8 @@
|
||||
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
-#
|
||||
+
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
populate var_selinux_policy_name
|
||||
|
||||
-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s'
|
||||
+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..1a6eb94953
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+SELINUX_FILE='/etc/selinux/config'
|
||||
+
|
||||
+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
|
||||
+ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
|
||||
+else
|
||||
+ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
|
||||
index b465ac6729..1c1560a86c 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
|
||||
@@ -3,11 +3,6 @@
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
- (xccdf-var var_selinux_state)
|
||||
|
||||
-- name: "{{{ rule_title }}}"
|
||||
- lineinfile:
|
||||
- path: /etc/sysconfig/selinux
|
||||
- regexp: '^SELINUX='
|
||||
- line: "SELINUX={{ var_selinux_state }}"
|
||||
- create: yes
|
||||
+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}}
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
index 58193b5504..a402a861d7 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
@@ -1,10 +1,11 @@
|
||||
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
|
||||
-#
|
||||
+
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
populate var_selinux_state
|
||||
|
||||
-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
|
||||
+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
|
||||
|
||||
fixfiles onboot
|
||||
fixfiles -f relabel
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..180dd80791
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+SELINUX_FILE='/etc/selinux/config'
|
||||
+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..3db1e56b5f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+SELINUX_FILE='/etc/selinux/config'
|
||||
+
|
||||
+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then
|
||||
+ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE
|
||||
+else
|
||||
+ echo 'SELINUX=permissive' >> $SELINUX_FILE
|
||||
+fi
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 6798a25d1f..01d3155b37 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}"
|
||||
{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
|
||||
{{%- endmacro %}}
|
||||
|
||||
+{{#
|
||||
+ High level macro to set a parameter in /etc/selinux/config.
|
||||
+ Parameters:
|
||||
+ - msg: the name for the Ansible task
|
||||
+ - parameter: parameter to be set in the configuration file
|
||||
+ - value: value of the parameter
|
||||
+#}}
|
||||
+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
|
||||
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
{{#
|
||||
Generates an Ansible task that puts 'contents' into a file at 'filepath'
|
||||
Parameters:
|
||||
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
||||
index 3a94fe5dd8..2531d1c52d 100644
|
||||
--- a/shared/macros-bash.jinja
|
||||
+++ b/shared/macros-bash.jinja
|
||||
@@ -86,6 +86,21 @@ populate {{{ name }}}
|
||||
}}}
|
||||
{{%- endmacro -%}}
|
||||
|
||||
+{{%- macro bash_selinux_config_set(parameter, value) -%}}
|
||||
+{{{ set_config_file(
|
||||
+ path="/etc/selinux/config",
|
||||
+ parameter=parameter,
|
||||
+ value=value,
|
||||
+ create=true,
|
||||
+ insert_after="",
|
||||
+ insert_before="",
|
||||
+ insensitive=true,
|
||||
+ separator="=",
|
||||
+ separator_regex="\s*=\s*",
|
||||
+ prefix_regex="^\s*")
|
||||
+ }}}
|
||||
+{{%- endmacro -%}}
|
||||
+
|
||||
{{#
|
||||
# Install a package
|
||||
# Uses the right command based on pkg_manger proprerty defined in product.yaml.
|
||||
|
||||
From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Wed, 27 May 2020 18:48:57 +0200
|
||||
Subject: [PATCH 2/2] Remediation requires reboot.
|
||||
|
||||
Update OVAL check to disallow spaces.
|
||||
Removed selinuxtype_minimum test scenario since breaks the system.
|
||||
---
|
||||
.../selinux/selinux_policytype/ansible/shared.yml | 2 +-
|
||||
.../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++
|
||||
.../system/selinux/selinux_policytype/oval/shared.xml | 2 +-
|
||||
.../tests/selinuxtype_minimum.fail.sh | 10 ----------
|
||||
.../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++
|
||||
.../guide/system/selinux/selinux_state/oval/shared.xml | 2 +-
|
||||
shared/macros-ansible.jinja | 2 +-
|
||||
shared/macros-bash.jinja | 4 ++--
|
||||
8 files changed, 14 insertions(+), 16 deletions(-)
|
||||
delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
index 9f8cf66dfb..73e6ec7cd4 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
@@ -1,5 +1,5 @@
|
||||
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
-# reboot = false
|
||||
+# reboot = true
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
index 2b5ce31b12..b4f79c97f9 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
@@ -1,4 +1,8 @@
|
||||
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# reboot = true
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
|
||||
index f1840a1290..3d69fff07f 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
|
||||
@@ -27,7 +27,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_selinux_policy" version="1">
|
||||
<ind:filepath>/etc/selinux/config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^SELINUXTYPE=(.*)$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
deleted file mode 100644
|
||||
index 1a6eb94953..0000000000
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,10 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
|
||||
-
|
||||
-SELINUX_FILE='/etc/selinux/config'
|
||||
-
|
||||
-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
|
||||
- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
|
||||
-else
|
||||
- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
|
||||
-fi
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
index a402a861d7..645a7acab4 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
@@ -1,4 +1,8 @@
|
||||
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
|
||||
+# reboot = true
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
|
||||
index c0881696e1..8c328060af 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
|
||||
@@ -18,7 +18,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
|
||||
<ind:filepath>/etc/selinux/config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 01d3155b37..580a0b948e 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}"
|
||||
- value: value of the parameter
|
||||
#}}
|
||||
{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
|
||||
-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
|
||||
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}}
|
||||
{{%- endmacro %}}
|
||||
|
||||
{{#
|
||||
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
||||
index 2531d1c52d..8abcc914d3 100644
|
||||
--- a/shared/macros-bash.jinja
|
||||
+++ b/shared/macros-bash.jinja
|
||||
@@ -96,8 +96,8 @@ populate {{{ name }}}
|
||||
insert_before="",
|
||||
insensitive=true,
|
||||
separator="=",
|
||||
- separator_regex="\s*=\s*",
|
||||
- prefix_regex="^\s*")
|
||||
+ separator_regex="=",
|
||||
+ prefix_regex="^")
|
||||
}}}
|
||||
{{%- endmacro -%}}
|
||||
|
@ -1,40 +0,0 @@
|
||||
From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 23:36:18 +0200
|
||||
Subject: [PATCH] Ansible mount_option: split mount and option task
|
||||
|
||||
Separate task that adds mount options mounts the mountpoint into two tasks.
|
||||
Conditioning the "mount" task on the absence of the target mount option
|
||||
caused the task to always be skipped when mount option was alredy present,
|
||||
and could result in the mount point not being mounted.
|
||||
---
|
||||
shared/templates/template_ANSIBLE_mount_option | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
|
||||
index 95bede25f9..a0cf8d6b7a 100644
|
||||
--- a/shared/templates/template_ANSIBLE_mount_option
|
||||
+++ b/shared/templates/template_ANSIBLE_mount_option
|
||||
@@ -26,14 +26,19 @@
|
||||
- device_name.stdout is defined and device_name.stdout_lines is defined
|
||||
- (device_name.stdout | length > 0)
|
||||
|
||||
-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}}
|
||||
+- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options
|
||||
+ set_fact:
|
||||
+ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}"
|
||||
+ when:
|
||||
+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
|
||||
+
|
||||
+- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option
|
||||
mount:
|
||||
path: "{{{ MOUNTPOINT }}}"
|
||||
src: "{{ mount_info.source }}"
|
||||
- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}"
|
||||
+ opts: "{{ mount_info.options }}"
|
||||
state: "mounted"
|
||||
fstype: "{{ mount_info.fstype }}"
|
||||
when:
|
||||
- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
|
||||
- device_name.stdout is defined
|
||||
- (device_name.stdout | length > 0)
|
@ -1,33 +0,0 @@
|
||||
From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 14 May 2020 16:46:07 +0200
|
||||
Subject: [PATCH] reorder groups because of permissions verification
|
||||
|
||||
---
|
||||
ssg/build_yaml.py | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
|
||||
index e3e138283c..c9f3179c08 100644
|
||||
--- a/ssg/build_yaml.py
|
||||
+++ b/ssg/build_yaml.py
|
||||
@@ -700,6 +700,11 @@ def to_xml_element(self):
|
||||
# audit_rules_privileged_commands, othervise the rule
|
||||
# does not catch newly installed screeen binary during remediation
|
||||
# and report fail
|
||||
+ # the software group should come before the
|
||||
+ # bootloader-grub2 group because of conflict between
|
||||
+ # rules rpm_verify_permissions and file_permissions_grub2_cfg
|
||||
+ # specific rules concerning permissions should
|
||||
+ # be applied after the general rpm_verify_permissions
|
||||
# The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
|
||||
# the firewalld_activation must come before ruleset_modifications, othervise
|
||||
# remediations for ruleset_modifications won't work
|
||||
@@ -707,6 +712,7 @@ def to_xml_element(self):
|
||||
# otherwise the remediation prints error although it is successful
|
||||
priority_order = [
|
||||
"accounts", "auditing",
|
||||
+ "software", "bootloader-grub2",
|
||||
"fips", "crypto",
|
||||
"firewalld_activation", "ruleset_modifications",
|
||||
"disabling_ipv6", "configuring_ipv6"
|
@ -1,171 +0,0 @@
|
||||
From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 14 May 2020 01:20:53 +0200
|
||||
Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig
|
||||
|
||||
All paths in /etc/rsyslog.conf were taken as log files, but paths
|
||||
in lines containing "include" or "$IncludeConfig" are config files.
|
||||
|
||||
Let's not take them in as log files
|
||||
---
|
||||
.../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
index a78cd69df2..c74f3da3f5 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
@@ -87,8 +87,18 @@
|
||||
-->
|
||||
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <filter action="exclude">state_ignore_include_paths</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
|
||||
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
||||
+ include() or $IncludeConfig statements.
|
||||
+ These paths are conf files, not log files. Their permissions don't need to be as
|
||||
+ required for log files, thus, lets exclude them from the list of objects found
|
||||
+ -->
|
||||
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
<!-- Define OVAL variable to hold all the various system log files locations
|
||||
retrieved from the different rsyslog configuration files
|
||||
-->
|
||||
|
||||
From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 14 May 2020 00:16:37 +0200
|
||||
Subject: [PATCH 2/4] Fix permissions of files referenced by include()
|
||||
|
||||
The remediation script also needs to parse the files included via
|
||||
"include()".
|
||||
The awk also takes into consideration the multiline aspect.
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 6cbf0c6a24..dca35301e7 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
+
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
# Browse each file selected above as containing paths of log files
|
||||
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
||||
-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
|
||||
+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}"
|
||||
do
|
||||
# From each of these files extract just particular log file path(s), thus:
|
||||
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
||||
|
||||
From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 15:53:58 +0200
|
||||
Subject: [PATCH 3/4] Make regex for include file more strict
|
||||
|
||||
For some reason gensub in awk doesn't support non capturing group.
|
||||
So the group with OR is capturing and we substitute everyting with the
|
||||
second group, witch matches the file path.
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index dca35301e7..99d2d0e794 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 16:55:02 +0200
|
||||
Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership
|
||||
|
||||
These three files basically work the same way
|
||||
---
|
||||
.../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++
|
||||
.../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++
|
||||
.../rsyslog_files_permissions/oval/shared.xml | 4 ++--
|
||||
3 files changed, 22 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
||||
index 5828f25321..9941e2b94f 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
||||
@@ -86,8 +86,18 @@
|
||||
-->
|
||||
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <filter action="exclude">state_groupownership_ignore_include_paths</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
|
||||
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
||||
+ include() or $IncludeConfig statements.
|
||||
+ These paths are conf files, not log files. Their groupownership don't need to be as
|
||||
+ required for log files, thus, lets exclude them from the list of objects found
|
||||
+ -->
|
||||
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
<!-- Define OVAL variable to hold all the various system log files locations
|
||||
retrieved from the different rsyslog configuration files
|
||||
-->
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
||||
index 3c46eab6d6..29dd1a989e 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
||||
@@ -83,8 +83,18 @@
|
||||
-->
|
||||
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <filter action="exclude">state_owner_ignore_include_paths</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
|
||||
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
||||
+ include() or $IncludeConfig statements.
|
||||
+ These paths are conf files, not log files. Their owner don't need to be as
|
||||
+ required for log files, thus, lets exclude them from the list of objects found
|
||||
+ -->
|
||||
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
<!-- Define OVAL variable to hold all the various system log files locations
|
||||
retrieved from the different rsyslog configuration files
|
||||
-->
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
index c74f3da3f5..da37a15b8c 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
@@ -87,10 +87,10 @@
|
||||
-->
|
||||
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
- <filter action="exclude">state_ignore_include_paths</filter>
|
||||
+ <filter action="exclude">state_permissions_ignore_include_paths</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
- <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
|
||||
+ <ind:textfilecontent54_state id="state_permissions_ignore_include_paths" comment="ignore" version="1">
|
||||
<!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
||||
include() or $IncludeConfig statements.
|
||||
These paths are conf files, not log files. Their permissions don't need to be as
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because one or more lines are too long
@ -0,0 +1,137 @@
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
index 7da2e067a6..5d01170aab 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
@@ -33,6 +33,7 @@ references:
|
||||
cis@sle12: 5.2.4
|
||||
cis@sle15: 5.2.6
|
||||
stigid@rhel7: RHEL-07-040710
|
||||
+ stigid@ol7: OL07-00-040710
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
disa: CCI-000366
|
||||
nist: CM-6(b)
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
index 87c3cb7f5a..5683676bfc 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
@@ -23,7 +23,6 @@ identifiers:
|
||||
cce@sle12: CCE-83017-4
|
||||
|
||||
references:
|
||||
- stigid@ol7: OL07-00-040710
|
||||
cui: 3.1.13
|
||||
disa: CCI-000366
|
||||
nist: CM-6(a),AC-17(a),AC-17(2)
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
index 50c7d689af..42cb32e30e 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,rhel7,rhel8,wrlinux1019,wrlinux8
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019,wrlinux8
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated Ciphers'
|
||||
|
||||
@@ -51,7 +51,6 @@ identifiers:
|
||||
cce@rhel8: CCE-81032-5
|
||||
|
||||
references:
|
||||
- stigid@ol7: OL07-00-040110
|
||||
cis: 5.2.10
|
||||
cjis: 5.5.6
|
||||
cui: 3.1.13,3.13.11,3.13.8
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
index 0751064179..73de17af35 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel7
|
||||
+prodtype: ol7,rhel7
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated Ciphers'
|
||||
|
||||
@@ -32,6 +32,7 @@ references:
|
||||
disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
|
||||
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
stigid@rhel7: RHEL-07-040110
|
||||
+ stigid@ol7: OL07-00-040110
|
||||
|
||||
ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
index c490756daf..13997f9418 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,rhel7,rhel8,sle12,wrlinux1019
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,sle12,wrlinux1019
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated MACs'
|
||||
|
||||
@@ -46,7 +46,6 @@ identifiers:
|
||||
cce@sle12: CCE-83036-4
|
||||
|
||||
references:
|
||||
- stigid@ol7: OL07-00-040400
|
||||
cis: 5.2.12
|
||||
cui: 3.1.13,3.13.11,3.13.8
|
||||
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
index 88d2d77e14..bd597f0860 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel7
|
||||
+prodtype: ol7,rhel7
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated MACs'
|
||||
|
||||
@@ -25,6 +25,7 @@ references:
|
||||
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
||||
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
|
||||
stigid@rhel7: RHEL-07-040400
|
||||
+ stigid@ol7: OL07-00-040400
|
||||
|
||||
ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
index 7267d2443a..b0fe065d86 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
@@ -26,6 +26,7 @@ identifiers:
|
||||
references:
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stig@rhel7: RHEL-07-040711
|
||||
+ stig@ol7: OL07-00-040711
|
||||
disa: CCI-000366
|
||||
nist: CM-6(b)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
index 820a942220..dfcbbafd17 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
@@ -36,4 +36,4 @@ ocil_clause: 'the group ownership is incorrect'
|
||||
ocil: |-
|
||||
To verify the assigned home directory of all interactive users is group-
|
||||
owned by that users primary GID, run the following command:
|
||||
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
|
||||
+ <pre># ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
index 7d5778d4f6..37cb36cda3 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
@@ -30,4 +30,4 @@ ocil_clause: 'the user ownership is incorrect'
|
||||
|
||||
ocil: |-
|
||||
To verify the home directory ownership, run the following command:
|
||||
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
|
||||
+ <pre># ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
|
||||
|
@ -0,0 +1,34 @@
|
||||
From cb299dd0ce870d55cb530bc5e5ad9a9f52734bf4 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 09:42:26 +0100
|
||||
Subject: [PATCH] Add metadata to ANSSI R35
|
||||
|
||||
Current implementation cannot diferentiate between system and
|
||||
standard user umask, they are both set to the same value.
|
||||
---
|
||||
controls/anssi.yml | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index dec9d68c99..621996e985 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -572,10 +572,18 @@ controls:
|
||||
only be read by the user and his group, and be editable only by his owner).
|
||||
The umask for users must be set to 0077 (any file created by a user is
|
||||
readable and editable only by him).
|
||||
+ notes: >-
|
||||
+ There is no simple way to check and remediate different umask values for
|
||||
+ system and standard users reliably.
|
||||
+ The different values are set in a conditional clause in a shell script
|
||||
+ (e.g. /etc/profile or /etc/bashrc).
|
||||
+ The current implementation checks and fixes both umask to the same value.
|
||||
+ automated: partially
|
||||
rules:
|
||||
- var_accounts_user_umask=077
|
||||
- accounts_umask_etc_login_defs
|
||||
- accounts_umask_etc_profile
|
||||
+ - accounts_umask_etc_bashrc
|
||||
|
||||
- id: R36
|
||||
title: Rights to access sensitive content files
|
@ -0,0 +1,94 @@
|
||||
From d5673795ba2f87ae1649c84591ee13d7876af0b2 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 14:01:03 +0100
|
||||
Subject: [PATCH 1/3] add rule
|
||||
|
||||
---
|
||||
.../sysctl_kernel_modules_disabled/rule.yml | 34 +++++++++++++++++++
|
||||
1 file changed, 34 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..1811c43815
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
@@ -0,0 +1,34 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,ol8,rhel7,rhel8
|
||||
+
|
||||
+title: 'Disable loading and unloading of kernel modules'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ Malicious kernel modules can have a significant impact on system security and
|
||||
+ availability. Disabling loading of kernel modules prevents this threat. Note
|
||||
+ that once this option has been set, it cannot be reverted without doing a
|
||||
+ system reboot. Make sure that all needed kernel modules are loaded before
|
||||
+ setting this option.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83392-1
|
||||
+ cce@rhel8: CCE-83397-0
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R24)
|
||||
+
|
||||
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: kernel.modules_disabled
|
||||
+ sysctlval: '1'
|
||||
+ datatype: int
|
||||
|
||||
From 5e4f6a4a0b70c07488595080cfd98fdbfb02e352 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 14:01:15 +0100
|
||||
Subject: [PATCH 2/3] add rule to anssi profile
|
||||
|
||||
---
|
||||
controls/anssi.yml | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 9e2b899b6d..f435459af3 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -483,7 +483,8 @@ controls:
|
||||
sysctl kernel.modules_disabledconf:
|
||||
Prohibition of loading modules (except those already loaded to this point)
|
||||
kernel.modules_disabled = 1
|
||||
- # rules: TBD
|
||||
+ rules:
|
||||
+ - sysctl_kernel_modules_disabled
|
||||
|
||||
- id: R25
|
||||
level: enhanced
|
||||
|
||||
From a4a91fbb7f23854e4f80819a023c1adc4e7110c5 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 14 Jan 2021 09:30:01 +0100
|
||||
Subject: [PATCH 3/3] remove cces from pool
|
||||
|
||||
---
|
||||
shared/references/cce-redhat-avail.txt | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 4dbec8255c..137d975a3d 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -1,5 +1,3 @@
|
||||
-CCE-83392-1
|
||||
-CCE-83397-0
|
||||
CCE-83398-8
|
||||
CCE-83399-6
|
||||
CCE-83404-4
|
@ -0,0 +1,117 @@
|
||||
From 2df02e3988525eee8360db1e829655a761adb461 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 19 Oct 2020 17:25:05 +0200
|
||||
Subject: [PATCH 1/2] var pam unix remember, add selector
|
||||
|
||||
Add selector "2" to var_password_pam_unix_remember.
|
||||
---
|
||||
.../accounts/accounts-pam/var_password_pam_unix_remember.var | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
||||
index f533a36963..6e7abb3b78 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
||||
@@ -18,6 +18,7 @@ options:
|
||||
"0": "0"
|
||||
10: 10
|
||||
24: 24
|
||||
+ 2: 2
|
||||
4: 4
|
||||
5: 5
|
||||
default: 5
|
||||
|
||||
From 5503605d2f9e56b07686a9f1f2f3f8418e61b8cb Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 19 Oct 2020 17:29:47 +0200
|
||||
Subject: [PATCH 2/2] Select rules for password strenght management
|
||||
|
||||
Rule selection is based on ANSSI DAT-NT-001
|
||||
---
|
||||
controls/anssi.yml | 45 ++++++++++++++++++-
|
||||
.../var_password_pam_minlen.var | 2 +
|
||||
...ar_accounts_password_minlen_login_defs.var | 2 +
|
||||
3 files changed, 48 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 26bc7f4694..3ccd0f8cb3 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -281,7 +281,50 @@ controls:
|
||||
- id: R18
|
||||
level: minimal
|
||||
title: Administrator password robustness
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ The rules selected below establish a general password strength baseline of 100 bits,
|
||||
+ inspired by DAT-NT-001 and the "Password Strenght Calculator"
|
||||
+ (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).
|
||||
+
|
||||
+ The baseline should be reviewed and tailored to the system's use case and needs.
|
||||
+ automated: partially
|
||||
+ rules:
|
||||
+ # Renew passwords every 90 days
|
||||
+ - var_accounts_maximum_age_login_defs=90
|
||||
+ - accounts_maximum_age_login_defs
|
||||
+
|
||||
+ # Ensure passwords with minimum of 18 characters
|
||||
+ - var_password_pam_minlen=18
|
||||
+ - accounts_password_pam_minlen
|
||||
+ # Enforce password lenght for new accounts
|
||||
+ - var_accounts_password_minlen_login_defs=18
|
||||
+ - accounts_password_minlen_login_defs
|
||||
+ # Require at Least 1 Special Character in Password
|
||||
+ - var_password_pam_ocredit=1
|
||||
+ - accounts_password_pam_ocredit
|
||||
+ # Require at Least 1 Numeric Character in Password
|
||||
+ - var_password_pam_dcredit=1
|
||||
+ - accounts_password_pam_dcredit
|
||||
+ # Require at Least 1 Uppercase Character in Password
|
||||
+ - var_password_pam_ucredit=1
|
||||
+ - accounts_password_pam_ucredit
|
||||
+ # Require at Least 1 Lowercase Character in Password
|
||||
+ - var_password_pam_lcredit=1
|
||||
+ - accounts_password_pam_lcredit
|
||||
+
|
||||
+ # Lock out users after 3 failed authentication attempts within 15 min
|
||||
+ - var_accounts_passwords_pam_faillock_fail_interval=900
|
||||
+ - accounts_passwords_pam_faillock_interval
|
||||
+ - var_accounts_passwords_pam_faillock_deny=3
|
||||
+ - accounts_passwords_pam_faillock_deny
|
||||
+ - accounts_passwords_pam_faillock_deny_root
|
||||
+ # Automatically unlock users after 15 min to prevent DoS
|
||||
+ - var_accounts_passwords_pam_faillock_unlock_time=900
|
||||
+ - accounts_passwords_pam_faillock_unlock_time
|
||||
+
|
||||
+ # Do not reuse last two passwords
|
||||
+ - var_password_pam_unix_remember=2
|
||||
+ - accounts_password_pam_unix_remember
|
||||
|
||||
- id: R19
|
||||
level: intermediary
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
||||
index f506a090bb..873d907ab9 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
||||
@@ -15,6 +15,8 @@ options:
|
||||
12: 12
|
||||
14: 14
|
||||
15: 15
|
||||
+ 18: 18
|
||||
+ 20: 20
|
||||
6: 6
|
||||
7: 7
|
||||
8: 8
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
||||
index f41ff432ec..662c53b076 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
||||
@@ -13,6 +13,8 @@ options:
|
||||
12: 12
|
||||
14: 14
|
||||
15: 15
|
||||
+ 18: 18
|
||||
+ 20: 20
|
||||
6: 6
|
||||
8: 8
|
||||
default: 15
|
@ -0,0 +1,47 @@
|
||||
From 76aede9cea67f4ea37eaa05ad74bf80273638de2 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 28 Oct 2020 18:52:13 +0100
|
||||
Subject: [PATCH] Select rules for ANSSI R37
|
||||
|
||||
These rules are better fit for R37 than R38.
|
||||
R37 is about binaries designed to be used with setuid or setgid bits.
|
||||
R38 is about reducing number of binaries with setuid root.
|
||||
---
|
||||
controls/anssi.yml | 17 ++++++++++++-----
|
||||
1 file changed, 12 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 26bc7f4694..4648b98dff 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -590,8 +590,17 @@ controls:
|
||||
|
||||
- id: R37
|
||||
level: minimal
|
||||
- title: Executables with setuid and/or setgid bits
|
||||
- # rules: TBD
|
||||
+ title: Executables with setuid and setgid bits
|
||||
+ notes: >-
|
||||
+ Only programs specifically designed to be used with setuid or setgid bits can have these privilege bits set.
|
||||
+ This requirement considers apropriate for setuid and setgid bits the binaries that are installed from
|
||||
+ recognized and authorized repositories (covered in R15).
|
||||
+ The remediation resets the sticky bit to intended value by vendor/developer, any finding after remediation
|
||||
+ should be reviewed.
|
||||
+ automated: yes
|
||||
+ rules:
|
||||
+ - file_permissions_unauthorized_suid
|
||||
+ - file_permissions_unauthorized_sgid
|
||||
|
||||
- id: R38
|
||||
level: enhanced
|
||||
@@ -600,9 +609,7 @@ controls:
|
||||
Setuid executables should be as small as possible. When it is expected
|
||||
that only the administrators of the machine execute them, the setuid bit
|
||||
must be removed and prefer them commands like su or sudo, which can be monitored
|
||||
- rules:
|
||||
- - file_permissions_unauthorized_suid
|
||||
- - file_permissions_unauthorized_sgid
|
||||
+ # rules: TBD
|
||||
|
||||
- id: R39
|
||||
level: intermediary
|
@ -0,0 +1,37 @@
|
||||
From 4d67a36c0a07ef8e07b8760b0e883bd42c0177ec Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 11:04:05 +0100
|
||||
Subject: [PATCH] Add variable selector and notes for R29
|
||||
|
||||
---
|
||||
controls/anssi.yml | 14 +++++++++++++-
|
||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index dec9d68c99..3303d70295 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -521,10 +521,22 @@ controls:
|
||||
description: >-
|
||||
Remote user sessions (shell access, graphical clients) must be closed
|
||||
after a certain period of inactivity.
|
||||
+ notes: >-
|
||||
+ There is no specific capability to check remote user inactivity, but some shells allow the
|
||||
+ session inactivity time out to be configured via TMOUT variable.
|
||||
+ In OpenSSH < 8.2 the inactivity of the user is implied from the network inactivity.
|
||||
+ The server is configured to disconnect sessions if no data has been received within the idle timeout,
|
||||
+ regardless of liveness status (ClientAliveCountMax is 0 and ClientAliveInterval is > 0).
|
||||
+ In OpenSSH >= 8.2 there is no way to disconnect sessions based on client liveness.
|
||||
+ The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to
|
||||
+ "don't disconnect network inactive sessions". The server either probes for the client liveness
|
||||
+ or keeps inactive sessions connected.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- accounts_tmout
|
||||
+ - var_accounts_tmout=10_min
|
||||
- sshd_set_idle_timeout
|
||||
- - sshd_idle_timeout_value=5_minutes
|
||||
+ - sshd_idle_timeout_value=10_minutes
|
||||
- sshd_set_keepalive
|
||||
|
||||
- id: R30
|
@ -0,0 +1,106 @@
|
||||
From 389d25be2b69e4e5c828d9b0b72573e0962cabb4 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 17:07:48 +0100
|
||||
Subject: [PATCH 1/4] add rule
|
||||
|
||||
---
|
||||
.../sshd_x11_use_localhost/rule.yml | 43 +++++++++++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 3 --
|
||||
2 files changed, 43 insertions(+), 3 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..67131e509c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
@@ -0,0 +1,43 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,ol7,rhel7
|
||||
+
|
||||
+title: 'Prevent remote hosts from connecting to the proxy display'
|
||||
+
|
||||
+description: |-
|
||||
+ The SSH daemon should prevent remote hosts from connecting to the proxy
|
||||
+ display. Make sure that the option <tt>X11UseLocalhost</tt> is set to
|
||||
+ <tt>yes</tt> within the SSH server configuration file.
|
||||
+
|
||||
+
|
||||
+rationale: |-
|
||||
+ When X11 forwarding is enabled, there may be additional exposure to the
|
||||
+ server and client displays if the sshd proxy display is configured to listen
|
||||
+ on the wildcard address. By default, sshd binds the forwarding server to the
|
||||
+ loopback address and sets the hostname part of the <tt>DISPLAY</tt>
|
||||
+ environment variable to localhost. This prevents remote hosts from
|
||||
+ connecting to the proxy display.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83404-4
|
||||
+
|
||||
+references:
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+ stig@rhel7: RHEL-07-040711
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6(b)
|
||||
+
|
||||
+ocil_clause: "the display proxy is listening on wildcard address"
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_sshd_option(default="yes", option="X11UseLocalhost", value="yes") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: sshd_lineinfile
|
||||
+ vars:
|
||||
+ missing_parameter_pass: 'false'
|
||||
+ parameter: X11UseLocalhost
|
||||
+ rule_id: sshd_x11_use_localhost
|
||||
+ value: 'yes'
|
||||
From a40b9e68305afb52c2c674848b71cbcaee25fe32 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 17:08:08 +0100
|
||||
Subject: [PATCH 2/4] add rule to the stig profile
|
||||
|
||||
---
|
||||
rhel7/profiles/stig.profile | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 88b50d5ef4..817e0982e5 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -286,6 +286,7 @@ selections:
|
||||
- package_vsftpd_removed
|
||||
- package_tftp-server_removed
|
||||
- sshd_enable_x11_forwarding
|
||||
+ - sshd_x11_use_localhost
|
||||
- tftpd_uses_secure_mode
|
||||
- package_xorg-x11-server-common_removed
|
||||
- xwindows_runlevel_target
|
||||
|
||||
From be2f96b80fbfb74708381e15a2a6e76c3952bbb5 Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Fri, 15 Jan 2021 07:46:09 +0100
|
||||
Subject: [PATCH 4/4] Update
|
||||
linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
|
||||
Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
|
||||
---
|
||||
.../services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
index 67131e509c..7267d2443a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
@@ -37,7 +37,7 @@ ocil: |-
|
||||
template:
|
||||
name: sshd_lineinfile
|
||||
vars:
|
||||
- missing_parameter_pass: 'false'
|
||||
+ missing_parameter_pass: 'true'
|
||||
parameter: X11UseLocalhost
|
||||
rule_id: sshd_x11_use_localhost
|
||||
value: 'yes'
|
@ -0,0 +1,196 @@
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 851993512..515a4a172 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -850,7 +850,8 @@ controls:
|
||||
- id: R63
|
||||
level: intermediary
|
||||
title: Explicit arguments in sudo specifications
|
||||
- # rules: TBD
|
||||
+ rules:
|
||||
+ - sudoers_explicit_command_args
|
||||
|
||||
- id: R64
|
||||
level: intermediary
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 000000000..94a0cb421
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
|
||||
@@ -0,0 +1,25 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("Check that sudoers doesn't contain commands without arguments specified") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="Make sure that no commands are without arguments" test_ref="test_{{{ rule_id }}}" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="Make sure that no command in user spec is without any argument"
|
||||
+ id="test_{{{ rule_id }}}" version="1">
|
||||
+ <ind:object object_ref="object_{{{ rule_id }}}" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_{{{ rule_id }}}" version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
||||
+ <!-- The regex idea: <user list> <host list> = (<the whole command with at least an arg>,)* <command with no arg> <end of the line or next command spec we don't care about>
|
||||
+ where a command is <runas spec>?<anything except ,>+,
|
||||
+ - ',' is a command delimiter, while
|
||||
+ The last capturing group holds the offending command without args.
|
||||
+ -->
|
||||
+ <ind:pattern operation="pattern match">^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
|
||||
new file mode 100644
|
||||
index 000000000..a0590c8b0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
|
||||
@@ -0,0 +1,46 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: "Explicit arguments in sudo specifications"
|
||||
+
|
||||
+description: |-
|
||||
+ All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.
|
||||
+ If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Any argument can modify quite significantly the behavior of a program, whether regarding the
|
||||
+ realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To
|
||||
+ avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the
|
||||
+ level of its specification.
|
||||
+
|
||||
+ For example, on some systems, the kernel messages are only accessible by root.
|
||||
+ If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted
|
||||
+ in order to prevent the user from flushing the buffer through the -c option:
|
||||
+ <pre>
|
||||
+ user ALL = dmesg ""
|
||||
+ </pre>
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83631-2
|
||||
+ cce@rhel8: CCE-83632-0
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R63)
|
||||
+
|
||||
+ocil_clause: '/etc/sudoers file contains user specifications that allow execution of commands with any arguments'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To determine if arguments that commands can be executed with are restricted, run the following command:
|
||||
+ <pre>$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/</pre>
|
||||
+ The command should return no output.
|
||||
+
|
||||
+platform: sudo
|
||||
+
|
||||
+warnings:
|
||||
+ - general:
|
||||
+ This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.
|
||||
+
|
||||
+ - general:
|
||||
+ The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that.
|
||||
+ For example, <code>root ALL=(ALL) echo 1\,2</code> allows root to execute <code>echo 1,2</code>, but the check would interpret it as two commands <code>echo 1\</code> and <code>2</code>.
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
|
||||
new file mode 100644
|
||||
index 000000000..b0d05b2a5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+
|
||||
+echo '#jen,!fred ALL, !SERVERS = !/bin/sh' > /etc/sudoers
|
||||
+echo '# somebody ALL=/bin/ls, (!bob,alice) !/bin/cat, /bin/dog' > /etc/sudoers.d/foo
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..c6f885f9f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'somebody ALL=/bin/ls, (!bob,alice) /bin/cat arg, /bin/dog' > /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..fce851f55
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog, /bin/cat arg' > /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..baf66468d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_all
|
||||
+# remediation = none
|
||||
+# packages = sudo
|
||||
+
|
||||
+# The val1\,val2 is the first argument of the /bin/dog command that contains a comma.
|
||||
+# Our check tends to interpret the comma as commad delimiter, so the dog arg is val1\
|
||||
+# and val2 is another command in the user spec.
|
||||
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog val1\,val2, /bin/cat ""' > /etc/sudoers
|
||||
+
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..9a04a205a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'jen,!fred ALL,SERVERS = /bin/sh ' > /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
|
||||
new file mode 100644
|
||||
index 000000000..4a3a7c94b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+
|
||||
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
|
||||
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
|
||||
+echo 'nobody ALL=/bin/ls arg arg, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..9643a3337
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
|
||||
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
|
||||
+echo 'nobody ALL=/bin/ls, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
|
||||
+
|
||||
+echo 'user ALL = ALL' > /etc/sudoers.d/bar
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 4dbec8255..94a116b59 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -140,8 +140,6 @@ CCE-83626-2
|
||||
CCE-83627-0
|
||||
CCE-83628-8
|
||||
CCE-83629-6
|
||||
-CCE-83631-2
|
||||
-CCE-83632-0
|
||||
CCE-83633-8
|
||||
CCE-83634-6
|
||||
CCE-83635-3
|
@ -0,0 +1,213 @@
|
||||
From afa3b348ed0af551967870f48334afbabecb89ab Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Thu, 4 Feb 2021 09:43:51 +0100
|
||||
Subject: [PATCH] Extend /var partition to 3GB in rhel8 kickstarts
|
||||
|
||||
---
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-cis-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 4 ++--
|
||||
9 files changed, 18 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
index 52af3ef47e..4e249f61e2 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
index 702f23d4dc..a1511b157a 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
index b875692944..981d291847 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
index 4a114aebb6..7fc4945518 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
|
||||
index bf3804b3fa..ee3a20bcc2 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
|
||||
@@ -109,7 +109,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -117,7 +117,7 @@ logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptio
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048
|
||||
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
index 6e0f83ebb7..8e4b92584f 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
|
||||
index 119e98364f..ec490c38ee 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
|
||||
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
|
||||
index 21a50f52fd..386cbcc169 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
|
||||
@@ -103,13 +103,13 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
|
||||
# CCE-26557-9: Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# CCE-26435-8: Ensure /tmp Located On Separate Partition
|
||||
logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
|
||||
# CCE-26639-5: Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# CCE-26215-4: Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
index a3e5e5fec1..28f7ff0927 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
@ -0,0 +1,426 @@
|
||||
From fad3761eff3a3857bb4201ac90642dfc37217a2a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 09:41:26 +0100
|
||||
Subject: [PATCH 1/4] Remove extra configurations from ANSSI minimal ks
|
||||
|
||||
- No need to restrict IPv6
|
||||
- Root login is not restricted
|
||||
- Simplify boot command
|
||||
- Simplify paritioning
|
||||
- No requirement to enforce use of SELinux
|
||||
---
|
||||
.../ssg-rhel7-anssi_nt28_minimal-ks.cfg | 46 ++--------------
|
||||
.../ssg-rhel8-anssi_bp28_minimal-ks.cfg | 53 +------------------
|
||||
2 files changed, 5 insertions(+), 94 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
|
||||
index 4160ac094c..9bc4eae44f 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
|
||||
@@ -54,7 +54,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||
+network --onboot yes --device eth0 --bootproto dhcp
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -62,26 +62,12 @@ network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||
# encrypted password form for different plaintext password
|
||||
rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
|
||||
|
||||
-# The selected profile will restrict root login
|
||||
-# Add a user that can login and escalate privileges
|
||||
-# Plaintext password is: admin123
|
||||
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
-
|
||||
-# Configure firewall settings for the system (optional)
|
||||
-# --enabled reject incoming connections that are not in response to outbound requests
|
||||
-# --ssh allow sshd service through the firewall
|
||||
-firewall --enabled --ssh
|
||||
-
|
||||
# Set up the authentication options for the system (required)
|
||||
# --enableshadow enable shadowed passwords by default
|
||||
# --passalgo hash / crypt algorithm for new passwords
|
||||
# See the manual page for authconfig for a complete list of possible options.
|
||||
authconfig --enableshadow --passalgo=sha512
|
||||
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +75,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
@@ -103,33 +89,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
-part pv.01 --grow --size=1
|
||||
-
|
||||
-# Create a Logical Volume Management (LVM) group (optional)
|
||||
-volgroup VolGroup --pesize=4096 pv.01
|
||||
-
|
||||
-# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
-# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
-# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /tmp Located On Separate Partition
|
||||
-logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
|
||||
-# Ensure /var/tmp Located On Separate Partition
|
||||
-logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
-# Ensure /var/log Located On Separate Partition
|
||||
-logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /var/log/audit Located On Separate Partition
|
||||
-logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
|
||||
-logvol swap --name=lv_swap --vgname=VolGroup --size=2016
|
||||
+autopart
|
||||
|
||||
# Despite the ID referencing NT-28, the profile is aligned to BP-028
|
||||
%addon org_fedora_oscap
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
index 7fc4945518..1d62b55d55 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -61,26 +58,6 @@ network --onboot yes --bootproto dhcp
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
|
||||
|
||||
-# The selected profile will restrict root login
|
||||
-# Add a user that can login and escalate privileges
|
||||
-# Plaintext password is: admin123
|
||||
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
-
|
||||
-# Configure firewall settings for the system (optional)
|
||||
-# --enabled reject incoming connections that are not in response to outbound requests
|
||||
-# --ssh allow sshd service through the firewall
|
||||
-firewall --enabled --ssh
|
||||
-
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +66,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
@@ -103,33 +80,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
-part pv.01 --grow --size=1
|
||||
-
|
||||
-# Create a Logical Volume Management (LVM) group (optional)
|
||||
-volgroup VolGroup --pesize=4096 pv.01
|
||||
-
|
||||
-# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
-# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
-# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /tmp Located On Separate Partition
|
||||
-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/tmp Located On Separate Partition
|
||||
-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
-# Ensure /var/log Located On Separate Partition
|
||||
-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/log/audit Located On Separate Partition
|
||||
-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
-logvol swap --name=swap --vgname=VolGroup --size=2016
|
||||
+autopart
|
||||
|
||||
# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
|
||||
# content - security policies - on the installed system.This add-on has been enabled by default
|
||||
|
||||
From 3884ae59b59d69c928acb1d3d52a3f68834aa709 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 09:53:20 +0100
|
||||
Subject: [PATCH 2/4] Align ANSSI kickstarts with intermediary level
|
||||
|
||||
- Simplify boot command
|
||||
- No requirement to enforce use of SELinux
|
||||
---
|
||||
.../ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 6 +-----
|
||||
.../ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 17 ++---------------
|
||||
2 files changed, 3 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
index ab654410b5..20c4c59a78 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
@@ -78,10 +78,6 @@ firewall --enabled --ssh
|
||||
# See the manual page for authconfig for a complete list of possible options.
|
||||
authconfig --enableshadow --passalgo=sha512
|
||||
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +85,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
index 981d291847..3a241b06f4 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -52,7 +49,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --bootproto dhcp
|
||||
+network --onboot yes --bootproto dhcp --noipv6
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
|
||||
# --ssh allow sshd service through the firewall
|
||||
firewall --enabled --ssh
|
||||
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +76,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
|
||||
From 745ec9b02bb45ca89d2705e79b36b17060508765 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 14:03:09 +0100
|
||||
Subject: [PATCH 3/4] Align ANSSI kickstarts with enhanced level
|
||||
|
||||
- Keep restricting IPv6
|
||||
- Audit enabled during boot
|
||||
- No requirement to enforce use of SELinux
|
||||
---
|
||||
.../ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 6 +-----
|
||||
.../ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 17 ++---------------
|
||||
2 files changed, 3 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
index 2e75873a28..1d35bedb91 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
@@ -78,10 +78,6 @@ firewall --enabled --ssh
|
||||
# See the manual page for authconfig for a complete list of possible options.
|
||||
authconfig --enableshadow --passalgo=sha512
|
||||
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +85,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limig=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
index 4e249f61e2..728946ecb7 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -52,7 +49,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --bootproto dhcp
|
||||
+network --onboot yes --bootproto dhcp --noipv6
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
|
||||
# --ssh allow sshd service through the firewall
|
||||
firewall --enabled --ssh
|
||||
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +76,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
|
||||
From 6804cdfbdea9992daf48fe545d8005be9f37bc56 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 14:08:15 +0100
|
||||
Subject: [PATCH 4/4] Align ANSSI Kickstarts with high level
|
||||
|
||||
---
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 13 ++-----------
|
||||
2 files changed, 3 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
index 745dcbd058..73225c2fab 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
@@ -89,7 +89,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
index a1511b157a..cd0eff2625 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -52,7 +49,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --bootproto dhcp
|
||||
+network --onboot yes --bootproto dhcp --noipv6
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -71,12 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
|
||||
# --ssh allow sshd service through the firewall
|
||||
firewall --enabled --ssh
|
||||
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
# State of SELinux on the installed system (optional)
|
||||
# Defaults to enforcing
|
||||
selinux --enforcing
|
||||
@@ -89,7 +80,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
@ -0,0 +1,57 @@
|
||||
From 01b1ade0e5713bf3f11f78cc0ca7e43f74eb8a46 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 01:02:48 +0100
|
||||
Subject: [PATCH 1/2] Drop remediation for sysctl_kernel_modules_disabled
|
||||
|
||||
Remediating this during kickstart install time renders the machine
|
||||
unbootable.
|
||||
---
|
||||
.../restrictions/sysctl_kernel_modules_disabled/rule.yml | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
index 1811c43815..34e8290f74 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
@@ -32,3 +32,6 @@ template:
|
||||
sysctlvar: kernel.modules_disabled
|
||||
sysctlval: '1'
|
||||
datatype: int
|
||||
+ backends:
|
||||
+ # Automated remediation of this rule disrupts installs via kickstart
|
||||
+ bash: 'off'
|
||||
|
||||
From 77eeafd1af1445a185651c77b143bce0004badda Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 09:23:17 +0100
|
||||
Subject: [PATCH 2/2] Add warning why rule has no remediation
|
||||
|
||||
Rule sysctl_kernel_modules_disabled disrupts the install and boot
|
||||
process if remediated during installation.
|
||||
---
|
||||
.../restrictions/sysctl_kernel_modules_disabled/rule.yml | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
index 34e8290f74..438cd2759e 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
@@ -26,6 +26,11 @@ references:
|
||||
|
||||
platform: machine
|
||||
|
||||
+warnings:
|
||||
+ - general:
|
||||
+ This rule doesn't come with Bash remediation.
|
||||
+ Remediating this rule during the installation process disrupts the install and boot process.
|
||||
+
|
||||
template:
|
||||
name: sysctl
|
||||
vars:
|
||||
@@ -33,5 +38,5 @@ template:
|
||||
sysctlval: '1'
|
||||
datatype: int
|
||||
backends:
|
||||
- # Automated remediation of this rule disrupts installs via kickstart
|
||||
+ # Automated remediation of this rule during installations disrupts the first boot
|
||||
bash: 'off'
|
@ -0,0 +1,62 @@
|
||||
From eea787e1453b19aa949903c39189479538fbbab9 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 12 Feb 2021 10:36:10 +0100
|
||||
Subject: [PATCH] remove mrules disabling vfat file systems from cis profiles
|
||||
|
||||
---
|
||||
rhcos4/profiles/moderate.profile | 1 -
|
||||
rhel7/profiles/cis.profile | 3 +--
|
||||
rhel8/profiles/cis.profile | 4 ++--
|
||||
sle15/profiles/cis.profile | 1 -
|
||||
4 files changed, 3 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/rhcos4/profiles/moderate.profile b/rhcos4/profiles/moderate.profile
|
||||
index 4e715cae9a..966e092c97 100644
|
||||
--- a/rhcos4/profiles/moderate.profile
|
||||
+++ b/rhcos4/profiles/moderate.profile
|
||||
@@ -627,4 +627,3 @@ selections:
|
||||
- kernel_module_squashfs_disabled
|
||||
- kernel_module_udf_disabled
|
||||
- kernel_module_usb-storage_disabled
|
||||
- - kernel_module_vfat_disabled
|
||||
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
||||
index 22d5117546..093d2b5759 100644
|
||||
--- a/rhel7/profiles/cis.profile
|
||||
+++ b/rhel7/profiles/cis.profile
|
||||
@@ -46,8 +46,7 @@ selections:
|
||||
#### 1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored)
|
||||
- kernel_module_udf_disabled
|
||||
|
||||
- #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored)
|
||||
- - kernel_module_vfat_disabled
|
||||
+ #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Manual)
|
||||
|
||||
### 1.1.2 Ensure separate partition exists for /tmp (Scored)
|
||||
- partition_for_tmp
|
||||
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
|
||||
index 9ceeb74f9a..e96d2fbb9d 100644
|
||||
--- a/rhel8/profiles/cis.profile
|
||||
+++ b/rhel8/profiles/cis.profile
|
||||
@@ -31,8 +31,8 @@ selections:
|
||||
#### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
|
||||
- kernel_module_cramfs_disabled
|
||||
|
||||
- #### 1.1.1.2 Ensure mounting of vFAT flesystems is limited (Not Scored)
|
||||
- - kernel_module_vfat_disabled
|
||||
+ #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
|
||||
+
|
||||
|
||||
#### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
|
||||
- kernel_module_squashfs_disabled
|
||||
diff --git a/sle15/profiles/cis.profile b/sle15/profiles/cis.profile
|
||||
index 9a0efedbdd..fa9ff3b775 100644
|
||||
--- a/sle15/profiles/cis.profile
|
||||
+++ b/sle15/profiles/cis.profile
|
||||
@@ -25,7 +25,6 @@ selections:
|
||||
- kernel_module_udf_disabled
|
||||
|
||||
#### 1.1.1.4 Ensure mounting of vFAT flesystems is limited (Not Scored)
|
||||
- - kernel_module_vfat_disabled
|
||||
|
||||
### 1.1.2 Ensure /tmp is configured (Scored)
|
||||
- partition_for_tmp
|
@ -0,0 +1,24 @@
|
||||
From 67f33ad17c234106bb3243af9f63ae478daa11ec Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 25 Jan 2021 18:28:26 +0100
|
||||
Subject: [PATCH] Reassign a new unique CCE identifier to approved macs STIG
|
||||
rule.
|
||||
|
||||
---
|
||||
.../ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml | 2 +-
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
2 files changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
index dc9f7dca7c..88d2d77e14 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
@@ -19,7 +19,7 @@ rationale: |-
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
- cce@rhel7: CCE-83398-8
|
||||
+ cce@rhel7: CCE-83636-1
|
||||
|
||||
references:
|
||||
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
@ -0,0 +1,39 @@
|
||||
From 9c6bdd92d2980aff87d1de0085250078ac131eda Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 16 Feb 2021 15:49:46 +0100
|
||||
Subject: [PATCH] Remove auditd_data_retention_space_left from RHEL8 STIG
|
||||
profile.
|
||||
|
||||
This rule is not aligned with STIG because it checks for space left in
|
||||
megabytes, whereas STIG demands space left in percentage.
|
||||
---
|
||||
rhel8/profiles/stig.profile | 3 ++-
|
||||
tests/data/profile_stability/rhel8/stig.profile | 1 -
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 0aa6f28986..dccfb548b7 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -219,7 +219,8 @@ selections:
|
||||
- package_rsyslog_installed
|
||||
- package_rsyslog-gnutls_installed
|
||||
- rsyslog_remote_loghost
|
||||
- - auditd_data_retention_space_left
|
||||
+ # this rule expects configuration in MB instead percentage as how STIG demands
|
||||
+ # - auditd_data_retention_space_left
|
||||
- auditd_data_retention_space_left_action
|
||||
# remediation fails because default configuration file contains pool instead of server keyword
|
||||
- chronyd_or_ntpd_set_maxpoll
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 55b645b67b..41782dcf3d 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -63,7 +63,6 @@ selections:
|
||||
- auditd_data_disk_full_action
|
||||
- auditd_data_retention_action_mail_acct
|
||||
- auditd_data_retention_max_log_file_action
|
||||
-- auditd_data_retention_space_left
|
||||
- auditd_data_retention_space_left_action
|
||||
- auditd_local_events
|
||||
- auditd_log_format
|
@ -0,0 +1,43 @@
|
||||
From 0f10e6fe07e068f3fac8cb9563141530f3d8b9e8 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 12 Jan 2021 16:23:07 +0100
|
||||
Subject: [PATCH 1/2] remove rule from rhel8 stig
|
||||
|
||||
---
|
||||
rhel8/profiles/stig.profile | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 882c481066..cda0239433 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -45,7 +45,6 @@ selections:
|
||||
- package_audispd-plugins_installed
|
||||
- package_libcap-ng-utils_installed
|
||||
- auditd_audispd_syslog_plugin_activated
|
||||
- - accounts_passwords_pam_faillock_enforce_local
|
||||
- accounts_password_pam_enforce_local
|
||||
- accounts_password_pam_enforce_root
|
||||
|
||||
|
||||
From b558c9030d2f16e59571e1730a3b0350d257d298 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 12 Jan 2021 16:23:25 +0100
|
||||
Subject: [PATCH 2/2] modify profile stability test
|
||||
|
||||
---
|
||||
tests/data/profile_stability/rhel8/stig.profile | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index a4ad24aec2..6676ca497c 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -41,7 +41,6 @@ selections:
|
||||
- accounts_password_set_max_life_existing
|
||||
- accounts_password_set_min_life_existing
|
||||
- accounts_passwords_pam_faillock_deny
|
||||
-- accounts_passwords_pam_faillock_enforce_local
|
||||
- accounts_passwords_pam_faillock_interval
|
||||
- accounts_passwords_pam_faillock_unlock_time
|
||||
- accounts_umask_etc_bashrc
|
6088
SOURCES/scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch
Normal file
6088
SOURCES/scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch
Normal file
File diff suppressed because it is too large
Load Diff
843
SOURCES/scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch
Normal file
843
SOURCES/scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch
Normal file
@ -0,0 +1,843 @@
|
||||
From c5f46d9166d0629740deb3cc5c45d3925345df09 Mon Sep 17 00:00:00 2001
|
||||
From: Guang Yee <guang.yee@suse.com>
|
||||
Date: Mon, 11 Jan 2021 12:55:43 -0800
|
||||
Subject: [PATCH] Enable checks and remediations for the following SLES-12
|
||||
STIGs:
|
||||
|
||||
- SLES-12-010030 'banner_etc_issue'
|
||||
- SLES-12-010120 'accounts_max_concurrent_login_sessions'
|
||||
- SLES-12-010450 'encrypt_partitions'
|
||||
- SLES-12-010460 'dir_perms_world_writable_sticky_bits'
|
||||
- SLES-12-010500 'package_aide_installed'
|
||||
- SLES-12-010550 'ensure_gpgcheck_globally_activated'
|
||||
- SLES-12-010580 'kernel_module_usb-storage_disabled'
|
||||
- SLES-12-010599 'package_MFEhiplsm_installed'
|
||||
- SLES-12-010690 'no_files_unowned_by_user'
|
||||
- SLES-12-030000 'package_telnet-server_removed'
|
||||
- SLES-12-030010 'ftp_present_banner'
|
||||
- SLES-12-030050 'sshd_enable_warning_banner'
|
||||
- SLES-12-030110 'sshd_set_loglevel_verbose'
|
||||
- SLES-12-030130 'sshd_print_last_log'
|
||||
- SLES-12-030210 'file_permissions_sshd_pub_key'
|
||||
- SLES-12-030220 'file_permissions_sshd_private_key'
|
||||
- SLES-12-030230 'sshd_enable_strictmodes'
|
||||
- SLES-12-030240 'sshd_use_priv_separation'
|
||||
- SLES-12-030250 'sshd_disable_compression'
|
||||
- SLES-12-030340 'auditd_audispd_encrypt_sent_records'
|
||||
- SLES-12-030360 'sysctl_net_ipv4_conf_all_accept_source_route'
|
||||
- SLES-12-030361 'sysctl_net_ipv6_conf_all_accept_source_route'
|
||||
- SLES-12-030370 'sysctl_net_ipv4_conf_default_accept_source_route'
|
||||
- SLES-12-030420 'sysctl_net_ipv4_conf_default_send_redirects'
|
||||
---
|
||||
.../ftp_present_banner/rule.yml | 1 +
|
||||
.../package_telnet-server_removed/rule.yml | 1 +
|
||||
.../rule.yml | 1 +
|
||||
.../file_permissions_sshd_pub_key/rule.yml | 1 +
|
||||
.../ansible/shared.yml | 2 +-
|
||||
.../sshd_disable_compression/rule.yml | 1 +
|
||||
.../sshd_enable_strictmodes/rule.yml | 1 +
|
||||
.../sshd_enable_warning_banner/rule.yml | 1 +
|
||||
.../ssh_server/sshd_print_last_log/rule.yml | 1 +
|
||||
.../sshd_set_loglevel_verbose/rule.yml | 1 +
|
||||
.../sshd_use_priv_separation/rule.yml | 1 +
|
||||
.../banner_etc_issue/ansible/shared.yml | 2 +-
|
||||
.../banner_etc_issue/rule.yml | 4 ++-
|
||||
.../ansible/shared.yml | 2 +-
|
||||
.../rule.yml | 2 ++
|
||||
.../ansible/shared.yml | 2 +-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../bash/shared.sh | 2 +-
|
||||
.../rule.yml | 2 ++
|
||||
.../files/no_files_unowned_by_user/rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../encrypt_partitions/rule.yml | 8 +++++-
|
||||
.../package_MFEhiplsm_installed/rule.yml | 2 ++
|
||||
.../aide/package_aide_installed/rule.yml | 3 +++
|
||||
.../ansible/sle12.yml | 13 ++++++++++
|
||||
.../rule.yml | 8 +++++-
|
||||
shared/applicability/general.yml | 4 +++
|
||||
.../oval/installed_env_has_zypper_package.xml | 25 +++++++++++++++++++
|
||||
.../kernel_module_disabled/ansible.template | 12 +++++++--
|
||||
.../kernel_module_disabled/bash.template | 9 ++++++-
|
||||
.../kernel_module_disabled/oval.template | 5 ++++
|
||||
sle12/product.yml | 1 +
|
||||
sle12/profiles/stig.profile | 25 +++++++++++++++++++
|
||||
37 files changed, 153 insertions(+), 18 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
||||
create mode 100644 shared/checks/oval/installed_env_has_zypper_package.xml
|
||||
|
||||
diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
||||
index 35ba09b0d0..3590a085b6 100644
|
||||
--- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
||||
+++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
||||
@@ -19,6 +19,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80248-8
|
||||
+ cce@sle12: CCE-83059-6
|
||||
|
||||
references:
|
||||
stigid@sle12: SLES-12-030010
|
||||
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
index 317eecdc3d..619b3f0b7d 100644
|
||||
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
@@ -27,6 +27,7 @@ severity: high
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27165-0
|
||||
cce@rhel8: CCE-82182-7
|
||||
+ cce@sle12: CCE-83084-4
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-021710
|
||||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
index 2e52219ece..d460411667 100644
|
||||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27485-2
|
||||
cce@rhel8: CCE-82424-3
|
||||
+ cce@sle12: CCE-83058-8
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040420
|
||||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||||
index e59ddc0770..b9e07d71af 100644
|
||||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||||
@@ -13,6 +13,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27311-0
|
||||
cce@rhel8: CCE-82428-4
|
||||
+ cce@sle12: CCE-83057-0
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040410
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
||||
index e07e436d60..f8d422c6c4 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||||
index fe7e67c1c2..f8eec6a074 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||||
@@ -21,6 +21,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80224-9
|
||||
cce@rhel8: CCE-80895-6
|
||||
+ cce@sle12: CCE-83062-0
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040470
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||||
index 22b98c71a2..601f6a0ca2 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80222-3
|
||||
cce@rhel8: CCE-80904-6
|
||||
+ cce@sle12: CCE-83060-4
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040450
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||||
index 2199d61ca9..c93ef6340f 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||||
@@ -20,6 +20,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27314-4
|
||||
cce@rhel8: CCE-80905-3
|
||||
+ cce@sle12: CCE-83066-1
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040170
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||||
index a0b8ed38ae..0ce5da30b2 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||||
@@ -17,6 +17,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80225-6
|
||||
cce@rhel8: CCE-82281-7
|
||||
+ cce@sle12: CCE-83083-6
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040360
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
||||
index 28ce48de8e..2180398855 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
||||
@@ -22,6 +22,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-82419-3
|
||||
cce@rhel8: CCE-82420-1
|
||||
+ cce@sle12: CCE-83077-8
|
||||
|
||||
references:
|
||||
srg: SRG-OS-000032-GPOS-00013
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
||||
index 14d1acfd22..d65ddb6cd1 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80223-1
|
||||
cce@rhel8: CCE-80908-7
|
||||
+ cce@sle12: CCE-83061-2
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040460
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
||||
index f3a0c85ea5..ff6b6eab42 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
||||
# reboot = false
|
||||
# strategy = unknown
|
||||
# complexity = low
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||||
index a86ede70f8..637d8ee528 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Modify the System Login Banner'
|
||||
|
||||
@@ -52,6 +52,7 @@ identifiers:
|
||||
cce@rhel7: CCE-27303-7
|
||||
cce@rhel8: CCE-80763-6
|
||||
cce@rhcos4: CCE-82555-4
|
||||
+ cce@sle12: CCE-83054-7
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-010050
|
||||
@@ -64,6 +65,7 @@ references:
|
||||
srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007
|
||||
vmmsrg: SRG-OS-000023-VMM-000060,SRG-OS-000024-VMM-000070
|
||||
stigid@rhel7: RHEL-07-010050
|
||||
+ stigid@sle12: SLES-12-010030
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
|
||||
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
|
||||
cobit5: DSS05.04,DSS05.10,DSS06.10
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
||||
index 9d50a9d20c..536ac29569 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||||
index e598f4e8cb..32412aa482 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||||
@@ -20,6 +20,7 @@ severity: low
|
||||
identifiers:
|
||||
cce@rhel7: CCE-82041-5
|
||||
cce@rhel8: CCE-80955-8
|
||||
+ cce@sle12: CCE-83065-3
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040000
|
||||
@@ -30,6 +31,7 @@ references:
|
||||
srg: SRG-OS-000027-GPOS-00008
|
||||
vmmsrg: SRG-OS-000027-VMM-000080
|
||||
stigid@rhel7: RHEL-07-040000
|
||||
+ stigid@sle12: SLES-12-010120
|
||||
isa-62443-2013: 'SR 3.1,SR 3.8'
|
||||
isa-62443-2009: 4.3.3.4
|
||||
cobit5: DSS01.05,DSS05.02
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
||||
index 23bcdf8641..007b23ba24 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4
|
||||
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_sle
|
||||
# reboot = false
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
||||
index 4c27eb11fd..1943a00fb2 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
||||
|
||||
title: 'Encrypt Audit Records Sent With audispd Plugin'
|
||||
|
||||
@@ -26,6 +26,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80540-8
|
||||
cce@rhel8: CCE-80926-9
|
||||
+ cce@sle12: CCE-83063-8
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-030310
|
||||
@@ -33,6 +34,7 @@ references:
|
||||
nist: AU-9(3),CM-6(a)
|
||||
srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
|
||||
stigid@rhel7: RHEL-07-030310
|
||||
+ stigid@sle12: SLES-12-030340
|
||||
ospp: FAU_GEN.1.1.c
|
||||
|
||||
ocil_clause: 'audispd is not encrypting audit records when sent over the network'
|
||||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||||
index a3f78cb910..8767a5226f 100644
|
||||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
||||
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80179-5
|
||||
cce@rhel8: CCE-81013-5
|
||||
cce@rhcos4: CCE-82480-5
|
||||
+ cce@sle12: CCE-83078-6
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040830
|
||||
@@ -33,6 +34,7 @@ references:
|
||||
nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040830
|
||||
+ stigid@sle12: SLES-12-030361
|
||||
isa-62443-2013: 'SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||||
index 0cd3dbc143..7bc4e3b9b7 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-27434-0
|
||||
cce@rhel8: CCE-81011-9
|
||||
cce@rhcos4: CCE-82478-9
|
||||
+ cce@sle12: CCE-83064-6
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040610
|
||||
@@ -33,6 +34,7 @@ references:
|
||||
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040610
|
||||
+ stigid@sle12: SLES-12-030360
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||||
index c48ec8de3d..f7ee2e9818 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80162-1
|
||||
cce@rhel8: CCE-80920-2
|
||||
cce@rhcos4: CCE-82479-7
|
||||
+ cce@sle12: CCE-83079-4
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040620
|
||||
@@ -34,6 +35,7 @@ references:
|
||||
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040620
|
||||
+ stigid@sle12: SLES-12-030370
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||||
index ddf6b07758..861c3485f3 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default'
|
||||
|
||||
@@ -19,6 +19,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80999-6
|
||||
cce@rhel8: CCE-80921-0
|
||||
cce@rhcos4: CCE-82485-4
|
||||
+ cce@sle12: CCE-83086-9
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040650
|
||||
@@ -31,6 +32,7 @@ references:
|
||||
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040650
|
||||
+ stigid@sle12: SLES-12-030420
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
||||
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
||||
index 0a829df187..e49942d1cc 100644
|
||||
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_rhel
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle
|
||||
df --local -P | awk '{if (NR!=1) print $6}' \
|
||||
| xargs -I '{}' find '{}' -xdev -type d \
|
||||
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
|
||||
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||||
index d04df8df86..5bb3cf3713 100644
|
||||
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||||
@@ -34,6 +34,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80130-8
|
||||
cce@rhel8: CCE-80783-4
|
||||
cce@rhcos4: CCE-82753-5
|
||||
+ cce@sle12: CCE-83047-1
|
||||
|
||||
references:
|
||||
cis@rhe8: 1.1.21
|
||||
@@ -46,6 +47,7 @@ references:
|
||||
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
||||
cis-csc: 12,13,14,15,16,18,3,5
|
||||
cis@sle15: 1.1.22
|
||||
+ stigid@sle12: SLES-12-010460
|
||||
|
||||
ocil_clause: 'any world-writable directories are missing the sticky bit'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||||
index e664cf9215..faab0b8822 100644
|
||||
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Ensure All Files Are Owned by a User'
|
||||
|
||||
@@ -24,6 +24,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80134-0
|
||||
cce@rhel8: CCE-83499-4
|
||||
+ cce@sle12: CCE-83072-9
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-020320
|
||||
@@ -40,6 +41,7 @@ references:
|
||||
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
||||
cis-csc: 11,12,13,14,15,16,18,3,5,9
|
||||
cis@sle15: 6.1.11
|
||||
+ stigid@sle12: SLES-12-010690
|
||||
|
||||
ocil_clause: 'files exist that are not owned by a valid user'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||||
index c78b570efb..24e77cc74e 100644
|
||||
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Disable Modprobe Loading of USB Storage Driver'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-27277-3
|
||||
cce@rhel8: CCE-80835-2
|
||||
cce@rhcos4: CCE-82719-6
|
||||
+ cce@sle12: CCE-83069-5
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-020100
|
||||
@@ -39,6 +40,7 @@ references:
|
||||
cis-csc: 1,12,15,16,5
|
||||
cis@rhel8: 1.1.23
|
||||
cis@sle15: 1.1.3
|
||||
+ stigid@sle12: SLES-12-010580
|
||||
|
||||
{{{ complete_ocil_entry_module_disable(module="usb-storage") }}}
|
||||
|
||||
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
index 80d1856778..fe370a4323 100644
|
||||
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4,sle12
|
||||
|
||||
title: 'Encrypt Partitions'
|
||||
|
||||
@@ -14,6 +14,7 @@ description: |-
|
||||
option is selected the system will prompt for a passphrase to use in
|
||||
decrypting the partition. The passphrase will subsequently need to be entered manually
|
||||
every time the system boots.
|
||||
+ {{% if product != "sle12" %}}
|
||||
<br /><br />
|
||||
For automated/unattended installations, it is possible to use Kickstart by adding
|
||||
the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to the definition of each partition to be
|
||||
@@ -26,11 +27,14 @@ description: |-
|
||||
<br /><br />
|
||||
By default, the <tt>Anaconda</tt> installer uses <tt>aes-xts-plain64</tt> cipher
|
||||
with a minimum <tt>512</tt> bit key size which should be compatible with FIPS enabled.
|
||||
+ {{% endif %}}
|
||||
<br /><br />
|
||||
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
|
||||
the {{{ full_name }}} Documentation web site:<br />
|
||||
{{% if product in ["ol7", "ol8"] %}}
|
||||
{{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54670/html/ol7-encrypt-sec.html") }}}.
|
||||
+ {{% elif product == "sle12" %}}
|
||||
+ {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
|
||||
{{% else %}}
|
||||
{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
|
||||
{{% endif %}}
|
||||
@@ -45,6 +49,7 @@ severity: high
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27128-8
|
||||
cce@rhel8: CCE-80789-1
|
||||
+ cce@sle12: CCE-83046-3
|
||||
|
||||
references:
|
||||
cui: 3.13.16
|
||||
@@ -58,6 +63,7 @@ references:
|
||||
isa-62443-2013: 'SR 3.4,SR 4.1,SR 5.2'
|
||||
cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06
|
||||
cis-csc: 13,14
|
||||
+ stigid@sle12: SLES-12-010450
|
||||
|
||||
ocil_clause: 'partitions do not have a type of crypto_LUKS'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
||||
index f96cfc925b..c0bf1ee908 100644
|
||||
--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80368-4
|
||||
+ cce@sle12: CCE-83071-1
|
||||
|
||||
references:
|
||||
disa: CCI-000366,CCI-001263
|
||||
@@ -31,6 +32,7 @@ references:
|
||||
iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.3,A.12.5.1,A.12.6.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.7,A.14.2.8,A.15.2.1,A.16.1.1,A.16.1.2,A.16.1.3,A.16.1.4,A.16.1.5,A.16.1.6,A.16.1.7,A.18.1.4,A.18.2.2,A.18.2.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,Clause 16.1.2,Clause 7.4'
|
||||
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
|
||||
stigid@rhel7: RHEL-07-020019
|
||||
+ stigid@sle12: SLES-12-010599
|
||||
|
||||
ocil_clause: 'the HBSS HIPS module is not installed'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
index 699992b48c..23e939bbec 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
@@ -14,6 +14,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27096-7
|
||||
cce@rhel8: CCE-80844-4
|
||||
+ cce@sle12: CCE-83048-9
|
||||
|
||||
references:
|
||||
cis@rhel8: 1.4.1
|
||||
@@ -30,6 +31,8 @@ references:
|
||||
srg: SRG-OS-000363-GPOS-00150
|
||||
cis@sle15: 1.4.1
|
||||
ism: 1034,1288,1341,1417
|
||||
+ stigid@sle12: SLES-12-010500
|
||||
+ disa@sle12: CCI-002699
|
||||
|
||||
ocil_clause: 'the package is not installed'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
||||
new file mode 100644
|
||||
index 0000000000..6fca48166a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
||||
@@ -0,0 +1,13 @@
|
||||
+# platform = multi_platform_sle
|
||||
+# reboot = false
|
||||
+# strategy = unknown
|
||||
+# complexity = low
|
||||
+# disruption = medium
|
||||
+- name: Ensure GPG check is globally activated (zypper)
|
||||
+ ini_file:
|
||||
+ dest: /etc/zypp/zypp.conf
|
||||
+ section: main
|
||||
+ option: gpgcheck
|
||||
+ value: 1
|
||||
+ no_extra_spaces: yes
|
||||
+ create: False
|
||||
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||||
index 24cef5499c..1f86aff1e9 100644
|
||||
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||||
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||
|
||||
title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration'
|
||||
|
||||
@@ -33,6 +33,7 @@ severity: high
|
||||
identifiers:
|
||||
cce@rhel7: CCE-26989-4
|
||||
cce@rhel8: CCE-80790-9
|
||||
+ cce@sle12: CCE-83068-7
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-020050
|
||||
@@ -54,6 +55,7 @@ references:
|
||||
iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
|
||||
cis-csc: 11,2,3,9
|
||||
anssi: BP28(R15)
|
||||
+ stigid@sle12: SLES-12-010550
|
||||
|
||||
ocil_clause: 'GPG checking is not enabled'
|
||||
|
||||
@@ -66,4 +68,8 @@ ocil: |-
|
||||
<tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is
|
||||
disabled.
|
||||
|
||||
+{{% if product == 'sle12' %}}
|
||||
+platform: zypper
|
||||
+{{% else %}}
|
||||
platform: yum
|
||||
+{{% endif %}}
|
||||
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
|
||||
index a6581fd713..7382b7dd30 100644
|
||||
--- a/shared/applicability/general.yml
|
||||
+++ b/shared/applicability/general.yml
|
||||
@@ -74,3 +74,7 @@ cpes:
|
||||
title: "Package yum is installed"
|
||||
check_id: installed_env_has_yum_package
|
||||
|
||||
+ - zypper:
|
||||
+ name: "cpe:/a:zypper"
|
||||
+ title: "Package zypper is installed"
|
||||
+ check_id: installed_env_has_zypper_package
|
||||
diff --git a/shared/checks/oval/installed_env_has_zypper_package.xml b/shared/checks/oval/installed_env_has_zypper_package.xml
|
||||
new file mode 100644
|
||||
index 0000000000..cf14e6af3c
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_has_zypper_package.xml
|
||||
@@ -0,0 +1,25 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory"
|
||||
+ id="installed_env_has_zypper_package" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Package zypper is installed</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_sle</platform>
|
||||
+ </affected>
|
||||
+ <description>Checks if package zypper is installed.</description>
|
||||
+ <reference ref_id="cpe:/a:zypper" source="CPE" />
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion comment="Package zypper is installed" test_ref="test_env_has_zypper_installed" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
|
||||
+ id="test_env_has_zypper_installed" version="1"
|
||||
+ comment="system has package zypper installed">
|
||||
+ <linux:object object_ref="obj_env_has_zypper_installed" />
|
||||
+ </linux:rpminfo_test>
|
||||
+ <linux:rpminfo_object id="obj_env_has_zypper_installed" version="1">
|
||||
+ <linux:name>zypper</linux:name>
|
||||
+ </linux:rpminfo_object>
|
||||
+</def-group>
|
||||
diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template
|
||||
index 47deee6e54..c4a83ad325 100644
|
||||
--- a/shared/templates/kernel_module_disabled/ansible.template
|
||||
+++ b/shared/templates/kernel_module_disabled/ansible.template
|
||||
@@ -1,12 +1,20 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
|
||||
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
# reboot = true
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
# disruption = medium
|
||||
+{{% if product == "sle12" %}}
|
||||
+- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
|
||||
+ lineinfile:
|
||||
+ create: yes
|
||||
+ dest: "/etc/modprobe.d/50-blacklist.conf"
|
||||
+ regexp: '^blacklist {{{ KERNMODULE }}}$'
|
||||
+ line: "blacklist {{{ KERNMODULE }}}"
|
||||
+{{% else %}}
|
||||
- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
|
||||
lineinfile:
|
||||
create: yes
|
||||
dest: "/etc/modprobe.d/{{{ KERNMODULE }}}.conf"
|
||||
regexp: '{{{ KERNMODULE }}}'
|
||||
line: "install {{{ KERNMODULE }}} /bin/true"
|
||||
-
|
||||
+{{% endif %}}
|
||||
diff --git a/shared/templates/kernel_module_disabled/bash.template b/shared/templates/kernel_module_disabled/bash.template
|
||||
index 42c0830b5f..f70a9925cd 100644
|
||||
--- a/shared/templates/kernel_module_disabled/bash.template
|
||||
+++ b/shared/templates/kernel_module_disabled/bash.template
|
||||
@@ -1,11 +1,18 @@
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
# reboot = true
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
# disruption = medium
|
||||
+{{% if product == "sle12" %}}
|
||||
+if ! LC_ALL=C grep -q -m 1 "^blacklist {{{ KERNMODULE }}}$" /etc/modprobe.d/50-blacklist.conf ; then
|
||||
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/50-blacklist.conf
|
||||
+ echo "blacklist {{{ KERNMODULE }}}" >> /etc/modprobe.d/50-blacklist.conf
|
||||
+fi
|
||||
+{{% else %}}
|
||||
if LC_ALL=C grep -q -m 1 "^install {{{ KERNMODULE }}}" /etc/modprobe.d/{{{ KERNMODULE }}}.conf ; then
|
||||
sed -i 's/^install {{{ KERNMODULE }}}.*/install {{{ KERNMODULE }}} /bin/true/g' /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
||||
else
|
||||
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
||||
echo "install {{{ KERNMODULE }}} /bin/true" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
||||
fi
|
||||
+{{% endif %}}
|
||||
diff --git a/shared/templates/kernel_module_disabled/oval.template b/shared/templates/kernel_module_disabled/oval.template
|
||||
index e5a7aaa8b4..737ae3c796 100644
|
||||
--- a/shared/templates/kernel_module_disabled/oval.template
|
||||
+++ b/shared/templates/kernel_module_disabled/oval.template
|
||||
@@ -54,9 +54,14 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_kernmod_{{{ KERNMODULE }}}_disabled"
|
||||
version="1" comment="kernel module {{{ KERNMODULE }}} disabled">
|
||||
+ {{% if product == "sle12" %}}
|
||||
+ <ind:filepath>/etc/modprobe.d/50-blacklist.conf</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^blacklist\s+{{{ KERNMODULE }}}$</ind:pattern>
|
||||
+ {{% else %}}
|
||||
<ind:path>/etc/modprobe.d</ind:path>
|
||||
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||
<ind:pattern operation="pattern match">^\s*install\s+{{{ KERNMODULE }}}\s+(/bin/false|/bin/true)$</ind:pattern>
|
||||
+ {{% endif %}}
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
diff --git a/sle12/product.yml b/sle12/product.yml
|
||||
index e465a6d687..d83ad88c21 100644
|
||||
--- a/sle12/product.yml
|
||||
+++ b/sle12/product.yml
|
||||
@@ -9,6 +9,7 @@ profiles_root: "./profiles"
|
||||
init_system: "systemd"
|
||||
|
||||
pkg_manager: "zypper"
|
||||
+pkg_manager_config_file: "/etc/zypp/zypp.conf"
|
||||
oval_feed_url: "https://support.novell.com/security/oval/suse.linux.enterprise.12.xml"
|
||||
|
||||
cpes_root: "../shared/applicability"
|
||||
diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
|
||||
index 6cf3339569..15c4f70336 100644
|
||||
--- a/sle12/profiles/stig.profile
|
||||
+++ b/sle12/profiles/stig.profile
|
||||
@@ -12,34 +12,59 @@ selections:
|
||||
- account_temp_expire_date
|
||||
- accounts_have_homedir_login_defs
|
||||
- accounts_logon_fail_delay
|
||||
+ - accounts_max_concurrent_login_sessions
|
||||
- accounts_maximum_age_login_defs
|
||||
+ - accounts_minimum_age_login_defs
|
||||
- accounts_no_uid_except_zero
|
||||
- accounts_password_set_max_life_existing
|
||||
- accounts_password_set_min_life_existing
|
||||
- accounts_umask_etc_login_defs
|
||||
+ - auditd_audispd_encrypt_sent_records
|
||||
- auditd_data_disk_full_action
|
||||
- auditd_data_retention_action_mail_acct
|
||||
- auditd_data_retention_space_left
|
||||
+ - banner_etc_issue
|
||||
- banner_etc_motd
|
||||
+ - dir_perms_world_writable_sticky_bits
|
||||
- disable_ctrlaltdel_reboot
|
||||
+ - encrypt_partitions
|
||||
+ - ensure_gpgcheck_globally_activated
|
||||
+ - file_permissions_sshd_private_key
|
||||
+ - file_permissions_sshd_pub_key
|
||||
+ - ftp_present_banner
|
||||
- gnome_gdm_disable_automatic_login
|
||||
- grub2_password
|
||||
- grub2_uefi_password
|
||||
- installed_OS_is_vendor_supported
|
||||
+ - kernel_module_usb-storage_disabled
|
||||
- no_empty_passwords
|
||||
+ - no_files_unowned_by_user
|
||||
- no_host_based_files
|
||||
- no_user_host_based_files
|
||||
+ - package_MFEhiplsm_installed
|
||||
+ - package_aide_installed
|
||||
- package_audit-audispd-plugins_installed
|
||||
- package_audit_installed
|
||||
+ - package_telnet-server_removed
|
||||
- postfix_client_configure_mail_alias
|
||||
- security_patches_up_to_date
|
||||
- service_auditd_enabled
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
+ - sshd_disable_compression
|
||||
- sshd_disable_empty_passwords
|
||||
- sshd_disable_user_known_hosts
|
||||
- sshd_do_not_permit_user_env
|
||||
+ - sshd_enable_strictmodes
|
||||
+ - sshd_enable_warning_banner
|
||||
- sshd_enable_x11_forwarding
|
||||
+ - sshd_print_last_log
|
||||
- sshd_set_idle_timeout
|
||||
- sshd_set_keepalive
|
||||
+ - sshd_set_loglevel_verbose
|
||||
+ - sshd_use_priv_separation
|
||||
- sudo_remove_no_authenticate
|
||||
- sudo_remove_nopasswd
|
||||
+ - sysctl_net_ipv4_conf_all_accept_source_route
|
||||
+ - sysctl_net_ipv4_conf_default_accept_source_route
|
||||
+ - sysctl_net_ipv4_conf_default_send_redirects
|
||||
+ - sysctl_net_ipv6_conf_all_accept_source_route
|
1313
SOURCES/scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch
Normal file
1313
SOURCES/scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,259 @@
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
index abcebf60c7..50c7d689af 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
@@ -61,7 +61,6 @@ references:
|
||||
nist-csf: PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-1,PR.PT-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
|
||||
- stigid@rhel7: RHEL-07-040110
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
||||
isa-62443-2009: 4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
|
||||
cobit5: APO11.04,APO13.01,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10,MEA02.01
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..4796a2eab1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
|
||||
@@ -0,0 +1,13 @@
|
||||
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: "Configure sshd to use approved ciphers"
|
||||
+ lineinfile:
|
||||
+ path: /etc/ssh/sshd_config
|
||||
+ line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'
|
||||
+ state: present
|
||||
+ regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
|
||||
+ create: True
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..8f751ed516
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+
|
||||
+if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then
|
||||
+ sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..53ff0a2a9e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
|
||||
@@ -0,0 +1,38 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="sshd_use_approved_ciphers_ordered_stig" version="1">
|
||||
+ {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
||||
+ <criteria comment="SSH is configured correctly or is not installed"
|
||||
+ operator="OR">
|
||||
+ <criteria comment="sshd is not installed" operator="AND">
|
||||
+ <extend_definition comment="sshd is not required or requirement is unset"
|
||||
+ definition_ref="sshd_not_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server removed"
|
||||
+ definition_ref="package_openssh-server_removed" />
|
||||
+ </criteria>
|
||||
+ <criteria comment="sshd is installed and configured" operator="AND">
|
||||
+ <extend_definition comment="sshd is required or requirement is unset"
|
||||
+ definition_ref="sshd_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server installed"
|
||||
+ definition_ref="package_openssh-server_installed" />
|
||||
+ <criterion comment="Check the Cipers list in /etc/ssh/sshd_config"
|
||||
+ test_ref="test_sshd_use_approved_ciphers_ordered_stig" />
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
+ comment="tests the value of Ciphers setting in the /etc/ssh/sshd_config file"
|
||||
+ id="test_sshd_use_approved_ciphers_ordered_stig" version="1">
|
||||
+ <ind:object object_ref="obj_sshd_use_approved_ciphers_ordered_stig" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers_ordered_stig" version="1">
|
||||
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..0751064179
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
@@ -0,0 +1,64 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel7
|
||||
+
|
||||
+title: 'Use Only FIPS 140-2 Validated Ciphers'
|
||||
+
|
||||
+description: |-
|
||||
+ Limit the ciphers to those algorithms which are FIPS-approved.
|
||||
+ The following line in <tt>/etc/ssh/sshd_config</tt>
|
||||
+ demonstrates use of FIPS-approved ciphers:
|
||||
+ <pre>Ciphers aes256-ctr,aes192-ctr,aes128-ctr</pre>
|
||||
+ This rule ensures that there are configured ciphers mentioned
|
||||
+ above (or their subset), keeping the given order of algorithms.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
|
||||
+ cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
|
||||
+ <br />
|
||||
+ Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
|
||||
+ cryptographic modules.
|
||||
+ <br />
|
||||
+ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
|
||||
+ utilize authentication that meets industry and government requirements. For government systems, this allows
|
||||
+ Security Levels 1, 2, 3, or 4 for use on {{{ full_name }}}.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83398-8
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
|
||||
+ srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
+ stigid@rhel7: RHEL-07-040110
|
||||
+
|
||||
+ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Only FIPS ciphers should be used. To verify that only FIPS-approved
|
||||
+ ciphers are in use, run the following command:
|
||||
+ <pre>$ sudo grep Ciphers /etc/ssh/sshd_config</pre>
|
||||
+ The output should contain only following ciphers (or a subset) in the exact order:
|
||||
+ <pre>aes256-ctr,aes192-ctr,aes128-ctr</pre>
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ The system needs to be rebooted for these changes to take effect.
|
||||
+ - regulatory: |-
|
||||
+ System Crypto Modules must be provided by a vendor that undergoes
|
||||
+ FIPS-140 certifications.
|
||||
+ FIPS-140 is applicable to all Federal agencies that use
|
||||
+ cryptographic-based security systems to protect sensitive information
|
||||
+ in computer and telecommunication systems (including voice systems) as
|
||||
+ defined in Section 5131 of the Information Technology Management Reform
|
||||
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
||||
+ designing and implementing cryptographic modules that Federal
|
||||
+ departments and agencies operate or are operated for them under
|
||||
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
|
||||
+ To meet this, the system has to have cryptographic software provided by
|
||||
+ a vendor that has undergone this certification. This means providing
|
||||
+ documentation, test results, design information, and independent third
|
||||
+ party review by an accredited lab. While open source software is
|
||||
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
||||
+ submits to this process.
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..daff7d7c53
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/# ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "# ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b9d22262af
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "Ciphers aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b99d3832cd
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..6dfd54631c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7b38914a1a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..6fdb47093d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/Ciphers /" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'Ciphers ' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..24fdf0f30d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/ Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo " Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 6c06a8ede6..adf86894e1 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -239,8 +239,7 @@ selections:
|
||||
- install_antivirus
|
||||
- accounts_max_concurrent_login_sessions
|
||||
- configure_firewalld_ports
|
||||
- - sshd_approved_ciphers=stig
|
||||
- - sshd_use_approved_ciphers
|
||||
+ - sshd_use_approved_ciphers_ordered_stig
|
||||
- accounts_tmout
|
||||
- sshd_enable_warning_banner
|
||||
- sssd_ldap_start_tls
|
@ -0,0 +1,386 @@
|
||||
From 5f8f98024f8955a0327b67f873923757a51d082c Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:32:07 +0100
|
||||
Subject: [PATCH 1/7] add rule and remediations
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 13 +++++
|
||||
.../bash/shared.sh | 7 +++
|
||||
.../oval/shared.xml | 38 +++++++++++++
|
||||
.../rule.yml | 57 +++++++++++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
5 files changed, 115 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..cefba7db05
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
||||
@@ -0,0 +1,13 @@
|
||||
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: "Configure sshd to use approved MACs"
|
||||
+ lineinfile:
|
||||
+ path: /etc/ssh/sshd_config
|
||||
+ line: 'MACs hmac-sha2-512,hmac-sha2-256'
|
||||
+ state: present
|
||||
+ regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
|
||||
+ create: True
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..c76190fb96
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+
|
||||
+if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
|
||||
+ sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..d7fbd9f0ed
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
@@ -0,0 +1,38 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="sshd_use_approved_macs_ordered_stig" version="1">
|
||||
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
||||
+ <criteria comment="SSH is configured correctly or is not installed"
|
||||
+ operator="OR">
|
||||
+ <criteria comment="sshd is not installed" operator="AND">
|
||||
+ <extend_definition comment="sshd is not required or requirement is unset"
|
||||
+ definition_ref="sshd_not_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server removed"
|
||||
+ definition_ref="package_openssh-server_removed" />
|
||||
+ </criteria>
|
||||
+ <criteria comment="sshd is installed and configured" operator="AND">
|
||||
+ <extend_definition comment="sshd is required or requirement is unset"
|
||||
+ definition_ref="sshd_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server installed"
|
||||
+ definition_ref="package_openssh-server_installed" />
|
||||
+ <criterion comment="Check MACs in /etc/ssh/sshd_config"
|
||||
+ test_ref="test_sshd_use_approved_macs_ordered_stig" />
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
+ comment="tests the value of MACs setting in the /etc/ssh/sshd_config file"
|
||||
+ id="test_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
+ <ind:object object_ref="obj_sshd_use_approved_macs_ordered_stig" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..dc9f7dca7c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
@@ -0,0 +1,57 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel7
|
||||
+
|
||||
+title: 'Use Only FIPS 140-2 Validated MACs'
|
||||
+
|
||||
+description: |-
|
||||
+ Limit the MACs to those hash algorithms which are FIPS-approved.
|
||||
+ The following line in <tt>/etc/ssh/sshd_config</tt>
|
||||
+ demonstrates use of FIPS-approved MACs:
|
||||
+ <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
|
||||
+ This rule ensures that there are configured MACs mentioned
|
||||
+ above (or their subset), keeping the given order of algorithms.
|
||||
+
|
||||
+rationale: |-
|
||||
+ DoD Information Systems are required to use FIPS-approved cryptographic hash
|
||||
+ functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83398-8
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
||||
+ srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
|
||||
+ stigid@rhel7: RHEL-07-040400
|
||||
+
|
||||
+ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Only FIPS-approved MACs should be used. To verify that only FIPS-approved
|
||||
+ MACs are in use, run the following command:
|
||||
+ <pre>$ sudo grep -i macs /etc/ssh/sshd_config</pre>
|
||||
+ The output should contain only following MACs (or a subset) in the exact order:
|
||||
+ <pre>hmac-sha2-512,hmac-sha2-256</pre>
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ The system needs to be rebooted for these changes to take effect.
|
||||
+ - regulatory: |-
|
||||
+ System Crypto Modules must be provided by a vendor that undergoes
|
||||
+ FIPS-140 certifications.
|
||||
+ FIPS-140 is applicable to all Federal agencies that use
|
||||
+ cryptographic-based security systems to protect sensitive information
|
||||
+ in computer and telecommunication systems (including voice systems) as
|
||||
+ defined in Section 5131 of the Information Technology Management Reform
|
||||
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
||||
+ designing and implementing cryptographic modules that Federal
|
||||
+ departments and agencies operate or are operated for them under
|
||||
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
|
||||
+ To meet this, the system has to have cryptographic software provided by
|
||||
+ a vendor that has undergone this certification. This means providing
|
||||
+ documentation, test results, design information, and independent third
|
||||
+ party review by an accredited lab. While open source software is
|
||||
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
||||
+ submits to this process.
|
||||
From 18ea3b8671e15c06a5c1c864d9d1d67f4262189e Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:32:25 +0100
|
||||
Subject: [PATCH 2/7] add tests
|
||||
|
||||
---
|
||||
.../tests/comment.fail.sh | 7 +++++++
|
||||
.../tests/correct_reduced_list.pass.sh | 7 +++++++
|
||||
.../tests/correct_scrambled.fail.sh | 7 +++++++
|
||||
.../tests/correct_value.pass.sh | 7 +++++++
|
||||
.../tests/line_not_there.fail.sh | 3 +++
|
||||
.../tests/no_parameters.fail.sh | 7 +++++++
|
||||
.../tests/wrong_value.fail.sh | 7 +++++++
|
||||
7 files changed, 45 insertions(+)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..26bf18234c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/# MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "# ciphers MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..0d922cdee9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-512/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..ce3f459352
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..19da7102a7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'MACs hmac-sha2-512,hmac-sha2-256' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..fd1f19347a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+sed -i "/^MACs.*/d" /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..44c07c6de0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs /" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'MACs ' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..cf56cd228f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256,blahblah/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-512,hmac-sha2-256,blahblah" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
|
||||
From a334b4b434adf92c94b8bd6bb888751782e70ad3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:32:58 +0100
|
||||
Subject: [PATCH 3/7] modify rhel7 stig profile
|
||||
|
||||
---
|
||||
rhel7/profiles/stig.profile | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 6c06a8ede6..17c781d3eb 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -28,7 +28,6 @@ selections:
|
||||
- inactivity_timeout_value=15_minutes
|
||||
- var_screensaver_lock_delay=5_seconds
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
- - sshd_approved_macs=stig
|
||||
- var_accounts_fail_delay=4
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
@@ -259,7 +258,7 @@ selections:
|
||||
- sshd_print_last_log
|
||||
- sshd_disable_root_login
|
||||
- sshd_allow_only_protocol2
|
||||
- - sshd_use_approved_macs
|
||||
+ - sshd_use_approved_macs_ordered_stig
|
||||
- file_permissions_sshd_pub_key
|
||||
- file_permissions_sshd_private_key
|
||||
- sshd_disable_gssapi_auth
|
||||
|
||||
From df71fc735efa8754a73fab5d355d422c6e0ffa53 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:33:10 +0100
|
||||
Subject: [PATCH 4/7] remove rhel7 stigid from sshd_use_approved_macs
|
||||
|
||||
---
|
||||
.../services/ssh/ssh_server/sshd_use_approved_macs/rule.yml | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
index 394c733f51..d47eb443f5 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
@@ -54,7 +54,6 @@ references:
|
||||
nist-csf: PR.AC-1,PR.AC-3,PR.DS-5,PR.PT-4
|
||||
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
|
||||
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000480-VMM-002000,SRG-OS-000396-VMM-001590
|
||||
- stigid@rhel7: RHEL-07-040400
|
||||
stigid@sle12: SLES-12-030180
|
||||
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.6,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
||||
isa-62443-2009: 4.3.3.5.1,4.3.3.6.6
|
||||
|
||||
From 9c24aaaba67f0123a82335672fd25aacd913caa4 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 11:43:16 +0100
|
||||
Subject: [PATCH 5/7] simplify regex
|
||||
|
||||
---
|
||||
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
index d7fbd9f0ed..5973488661 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
@@ -31,7 +31,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
|
||||
From e3973f4c2988308a2d1a18e67a730a059f791336 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 11:55:19 +0100
|
||||
Subject: [PATCH 6/7] make bash remediation more readable
|
||||
|
||||
---
|
||||
.../sshd_use_approved_macs_ordered_stig/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
index c76190fb96..f8f6f39bee 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
@@ -1,6 +1,6 @@
|
||||
# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
|
||||
-if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
|
||||
+if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then
|
||||
sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
|
||||
else
|
||||
echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
||||
|
||||
From e5c379ac8cbd7bd42b116d3a5473a78406a662fd Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 13:05:18 +0100
|
||||
Subject: [PATCH 7/7] one more small fix to oval regex
|
||||
|
||||
---
|
||||
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
index 5973488661..b5443b07c4 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
@@ -31,7 +31,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
@ -0,0 +1,30 @@
|
||||
From e5399b7bf17d5bdb995851b3d2a27f3ab2e6066a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Mon, 18 Jan 2021 15:21:51 +0100
|
||||
Subject: [PATCH] Supress Ansible lint error 503
|
||||
|
||||
It says that Tasks that run when changed should likely be handlers.
|
||||
However, we don't use handlers, and developer guide says that handlers
|
||||
aren't supported. I assume handlers would cause problems for SCAP
|
||||
scanners. Unless we start to support handlers this error isn't fixable
|
||||
for us therefore we can suppress it globally.
|
||||
|
||||
Addressing problems in scap-security-guide-lint-check Jenkins job:
|
||||
30/48 Test #260: ansible-playbook-ansible-lint-check-rhel8 .........***Failed 630.77 sec
|
||||
all/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
anssi_bp28_enhanced/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
anssi_bp28_high/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
anssi_bp28_intermediary/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
---
|
||||
tests/ansible-lint_config.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tests/ansible-lint_config.yml b/tests/ansible-lint_config.yml
|
||||
index d5107476a9..e4b4443f8c 100644
|
||||
--- a/tests/ansible-lint_config.yml
|
||||
+++ b/tests/ansible-lint_config.yml
|
||||
@@ -3,3 +3,4 @@ skip_list:
|
||||
- '301' # Commands should not change things if nothing needs doing
|
||||
- '303' # Using command rather than module
|
||||
- '403' # Package installs should not use latest
|
||||
+ - '503' # Tasks that run when changed should likely be handlers
|
@ -0,0 +1,73 @@
|
||||
From 35eb6ba272c4ca0b7bae1c10af182e59e3e52c6a Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Fri, 15 Jan 2021 16:28:07 +0100
|
||||
Subject: [PATCH] RHEL-07-040710 now configures X11Forwarding to disable.
|
||||
|
||||
---
|
||||
.../sshd_disable_x11_forwarding/rule.yml | 19 ++++++++++---------
|
||||
.../sshd_enable_x11_forwarding/rule.yml | 1 -
|
||||
rhel7/profiles/stig.profile | 2 +-
|
||||
3 files changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
index 1779129f87..7da2e067a6 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
@@ -19,22 +19,23 @@ rationale: |-
|
||||
other users on the X11 server. Note that even if X11 forwarding is disabled,
|
||||
users can always install their own forwarders.
|
||||
|
||||
-severity: low
|
||||
+severity: medium
|
||||
|
||||
-ocil_clause: "that the X11Forwarding option exists and is enabled"
|
||||
-
|
||||
-ocil: |-
|
||||
- {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}
|
||||
+{{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}}
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-83359-0
|
||||
cce@rhel8: CCE-83360-8
|
||||
|
||||
references:
|
||||
- cis@rhel7: 5.2.4
|
||||
- cis@rhel8: 5.2.6
|
||||
- cis@sle12: 5.2.4
|
||||
- cis@sle15: 5.2.6
|
||||
+ cis@rhel7: 5.2.4
|
||||
+ cis@rhel8: 5.2.6
|
||||
+ cis@sle12: 5.2.4
|
||||
+ cis@sle15: 5.2.6
|
||||
+ stigid@rhel7: RHEL-07-040710
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6(b)
|
||||
|
||||
template:
|
||||
name: sshd_lineinfile
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
index 803e581a0f..87c3cb7f5a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
@@ -29,7 +29,6 @@ references:
|
||||
nist: CM-6(a),AC-17(a),AC-17(2)
|
||||
nist-csf: DE.AE-1,PR.DS-7,PR.IP-1
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
- stigid@rhel7: RHEL-07-040710
|
||||
stigid@sle12: SLES-12-030260
|
||||
isa-62443-2013: 'SR 7.6'
|
||||
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 817e0982e5..6c06a8ede6 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -285,7 +285,7 @@ selections:
|
||||
- postfix_prevent_unrestricted_relay
|
||||
- package_vsftpd_removed
|
||||
- package_tftp-server_removed
|
||||
- - sshd_enable_x11_forwarding
|
||||
+ - sshd_disable_x11_forwarding
|
||||
- sshd_x11_use_localhost
|
||||
- tftpd_uses_secure_mode
|
||||
- package_xorg-x11-server-common_removed
|
@ -0,0 +1,688 @@
|
||||
From e3dd773f905114c1d16ac3283611218a685f1722 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Feb 2021 09:17:15 +0100
|
||||
Subject: [PATCH 1/5] Remove extends key from ANSSI intermediary profile
|
||||
|
||||
This is not necessary as the ANSSI controls file handles this.
|
||||
---
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 64a9b542a0..4d0029af1d 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -7,7 +7,6 @@ description:
|
||||
Agence nationale de la sécurité des systèmes d''information. Based on
|
||||
https://www.ssi.gouv.fr/.
|
||||
|
||||
-extends: anssi_bp28_minimal
|
||||
|
||||
selections:
|
||||
- anssi:all:intermediary
|
||||
|
||||
From 48845dbde69e69a043fc90622f21dc73d6a72018 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Feb 2021 09:21:47 +0100
|
||||
Subject: [PATCH 2/5] Update title and descriptions of ANSSI profiles
|
||||
|
||||
---
|
||||
controls/anssi.yml | 2 +-
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 12 +++++++++---
|
||||
rhel7/profiles/anssi_nt28_high.profile | 12 +++++++++---
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 14 ++++++++++----
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 14 ++++++++++----
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 12 ++++++++----
|
||||
rhel8/profiles/anssi_bp28_high.profile | 14 +++++++++-----
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 11 +++++++----
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 12 ++++++++----
|
||||
9 files changed, 71 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 2173d23f9d..54c05245b7 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -1,5 +1,5 @@
|
||||
policy: 'ANSSI-BP-028'
|
||||
-title: 'ANSSI-BP-028'
|
||||
+title: 'Configuration Recommendations of a GNU/Linux System'
|
||||
id: anssi
|
||||
version: '1.2'
|
||||
source: https://www.ssi.gouv.fr/uploads/2019/03/linux_configuration-en-v1.2.pdf
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 5893d12dbd..49fa8593fe 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -1,9 +1,15 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (enhanced)'
|
||||
+title: 'ANSSI BP-028 (enhanced)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the enhanced level. ANSSI stands for Agence nationale de la sécurité des
|
||||
- systèmes d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:enhanced
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index 52ae1dd6d2..2853f20607 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -1,9 +1,15 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (high)'
|
||||
+title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the high level. ANSSI stands for Agence nationale de la sécurité des systèmes
|
||||
- d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index e18225247b..55f985a7a9 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -1,10 +1,16 @@
|
||||
# Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (intermediary)'
|
||||
+title: 'ANSSI BP-028 (intermediary)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the intermediary level. ANSSI stands for Agence nationale de la sécurité
|
||||
- des systèmes d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- - anssi:all:intermediary
|
||||
+ - anssi:all:intermediary
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index 214f37d14b..7786a26b45 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -1,9 +1,15 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (minimal)'
|
||||
+title: 'ANSSI BP-028 (minimal)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des
|
||||
- systèmes d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- - anssi:all:minimal
|
||||
+ - anssi:all:minimal
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 4c39852b65..49fa8593fe 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -2,10 +2,14 @@ documentation_complete: true
|
||||
|
||||
title: 'ANSSI BP-028 (enhanced)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the enhanced level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d'information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:enhanced
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index 6b0489e0f1..2853f20607 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,11 +1,15 @@
|
||||
documentation_complete: false
|
||||
|
||||
-title: 'ANSSI BP-028 (high)'
|
||||
+title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the high level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d'information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 4d0029af1d..50ab1ba0b8 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -2,11 +2,14 @@ documentation_complete: true
|
||||
|
||||
title: 'ANSSI BP-028 (intermediary)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the intermediary level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d''information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:intermediary
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index d8f076c3e7..d477d34787 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -2,10 +2,14 @@ documentation_complete: true
|
||||
|
||||
title: 'ANSSI BP-028 (minimal)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the minimal level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d'information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:minimal
|
||||
|
||||
From 5ea9fe70c78df6c4278aec71b9ab000a9884cea7 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Feb 2021 12:23:14 +0100
|
||||
Subject: [PATCH 3/5] Add missing hyphen in ANSSI profiles descriptions
|
||||
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 8 ++++----
|
||||
rhel7/profiles/anssi_nt28_high.profile | 8 ++++----
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 8 ++++----
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_high.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 8 ++++----
|
||||
8 files changed, 32 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 49fa8593fe..411f0c03aa 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (enhanced)'
|
||||
+title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index 2853f20607..d9147b2dd0 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
+title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index 55f985a7a9..6e39a978e5 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -1,15 +1,15 @@
|
||||
# Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (intermediary)'
|
||||
+title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index 7786a26b45..f0a77bccd7 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (minimal)'
|
||||
+title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 49fa8593fe..411f0c03aa 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (enhanced)'
|
||||
+title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index 2853f20607..d9147b2dd0 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: false
|
||||
|
||||
-title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
+title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 50ab1ba0b8..6dcd2b8ef2 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (intermediary)'
|
||||
+title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index d477d34787..54e8cbd5a6 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (minimal)'
|
||||
+title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
|
||||
From c111061d6f1b9c134cc4cff1b712c44f271bcf42 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 5 Feb 2021 11:11:57 +0100
|
||||
Subject: [PATCH 4/5] Fix ANSSI document number for consistency
|
||||
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_high.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 2 +-
|
||||
8 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 411f0c03aa..846ace9002 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index d9147b2dd0..e4db830291 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index 6e39a978e5..4454976862 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -4,7 +4,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index f0a77bccd7..cc2cbd8359 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 411f0c03aa..846ace9002 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index d9147b2dd0..e4db830291 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: false
|
||||
title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 6dcd2b8ef2..a9e0442257 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index 54e8cbd5a6..090b571bb6 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
From c4b11df5dabe389129f3cbc8a5bd9444fce09850 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 5 Feb 2021 16:05:07 +0100
|
||||
Subject: [PATCH 5/5] Fix single quote in ANSSI name
|
||||
|
||||
Previously the description was enclosed in single quotes, requiring a
|
||||
single quote to be escaped.
|
||||
Now the description is not enclosed in single quotes and there is no
|
||||
need to escape it.
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_high.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 2 +-
|
||||
8 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 846ace9002..bbc11353f3 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index e4db830291..22efad9c09 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index 4454976862..0c43ab8d73 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -6,7 +6,7 @@ title: 'ANSSI-BP-028 (intermediary)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index cc2cbd8359..480333747c 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 846ace9002..bbc11353f3 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index e4db830291..22efad9c09 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index a9e0442257..a592031673 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (intermediary)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index 090b571bb6..cef8394114 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
@ -0,0 +1,89 @@
|
||||
From ce6a307518c55b333897f5c130f5372dee9eeae8 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 18 Jan 2021 11:18:43 +0100
|
||||
Subject: [PATCH] Update metadata for a few miminal and intermediary
|
||||
requirements
|
||||
|
||||
---
|
||||
controls/anssi.yml | 20 +++++++++++++++++---
|
||||
1 file changed, 17 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index dec9d68c99..9288ac1663 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -506,7 +506,10 @@ controls:
|
||||
- id: R27
|
||||
title: Disabling service accounts
|
||||
level: intermediary
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ It is difficult to generally identify the system's service accounts.
|
||||
+ Assisting rules could list users which are not disabled for manual review.
|
||||
+ automated: no
|
||||
|
||||
- id: R28
|
||||
level: enhanced
|
||||
@@ -530,7 +533,10 @@ controls:
|
||||
- id: R30
|
||||
level: minimal
|
||||
title: Applications using PAM
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Manual review is necessary to decide if the list of applications using PAM is minimal.
|
||||
+ Asssising rules could be created to list all applications using PAM for manual review.
|
||||
+ automated: no
|
||||
|
||||
- id: R31
|
||||
title: Securing PAM Authentication Network Services
|
||||
@@ -580,6 +586,7 @@ controls:
|
||||
- id: R36
|
||||
title: Rights to access sensitive content files
|
||||
level: intermediary
|
||||
+ automated: yes
|
||||
rules:
|
||||
- file_owner_etc_shadow
|
||||
- file_permissions_etc_shadow
|
||||
@@ -637,7 +644,10 @@ controls:
|
||||
- id: R42
|
||||
level: minimal
|
||||
title: In memory services and daemons
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Manual review is necessary to decide if the list of resident daemons is minimal.
|
||||
+ Asssising rules could be created to list sevices listening on the network for manual review.
|
||||
+ automated: no
|
||||
|
||||
- id: R43
|
||||
title: Hardening and configuring the syslog
|
||||
@@ -709,6 +719,7 @@ controls:
|
||||
- id: R48
|
||||
level: intermediary
|
||||
title: Configuring the local messaging service
|
||||
+ automated: yes
|
||||
rules:
|
||||
- postfix_network_listening_disabled
|
||||
|
||||
@@ -825,6 +836,7 @@ controls:
|
||||
level: intermediary
|
||||
title: Privileges of target sudo users
|
||||
description: The targeted users of a rule should be, as much as possible, non privileged users.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sudoers_no_root_target
|
||||
|
||||
@@ -840,12 +852,14 @@ controls:
|
||||
level: intermediary
|
||||
title: Good use of negation in a sudoers file
|
||||
description: The sudoers configuration rules should not involve negation.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sudoers_no_command_negation
|
||||
|
||||
- id: R63
|
||||
level: intermediary
|
||||
title: Explicit arguments in sudo specifications
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sudoers_explicit_command_args
|
||||
|
@ -0,0 +1,352 @@
|
||||
From cbede36c7a4e35cb882c35892cff72f9f190cbf9 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Mon, 8 Feb 2021 15:57:43 +0100
|
||||
Subject: [PATCH 1/5] Add nodev,nosuid,noexec options to /boot in ANSSI
|
||||
kickstart
|
||||
|
||||
---
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 2 +-
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +-
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 2 +-
|
||||
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
index 1d35bedb91..c381512476 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
@@ -99,7 +99,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
index 73225c2fab..a672b38b83 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
@@ -103,7 +103,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
index 20c4c59a78..88a7cee8ab 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
@@ -99,7 +99,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
index 728946ecb7..6f66a3774b 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
@@ -90,7 +90,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
index cd0eff2625..b5c09253a5 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
@@ -94,7 +94,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
index 3a241b06f4..fb785e0c11 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
@@ -90,7 +90,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
|
||||
From 15be64cc2d6c21b0351bb8d3d1b55b1924be99ca Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Tue, 9 Feb 2021 12:45:34 +0100
|
||||
Subject: [PATCH 2/5] Add mount_option_nodev_nonroot_local_partitions bash
|
||||
remediation
|
||||
|
||||
---
|
||||
.../bash/shared.sh | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7e2b3bd76b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
||||
@@ -0,0 +1,18 @@
|
||||
+# platform = multi_platform_all
|
||||
+. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
+include_mount_options_functions
|
||||
+
|
||||
+MOUNT_OPTION="nodev"
|
||||
+# Create array of local non-root partitions
|
||||
+readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep "\s/dev/\w")
|
||||
+
|
||||
+for partition_record in "${partitions_records[@]}"; do
|
||||
+ # Get all important information for fstab
|
||||
+ mount_point="$(echo ${partition_record} | cut -d " " -f1)"
|
||||
+ device="$(echo ${partition_record} | cut -d " " -f2)"
|
||||
+ device_type="$(echo ${partition_record} | cut -d " " -f3)"
|
||||
+ # device and device_type will be used only in case when the device doesn't have fstab record
|
||||
+ ensure_mount_option_in_fstab "$mount_point" "$MOUNT_OPTION" "$device" "$device_type"
|
||||
+ ensure_partition_is_mounted "$mount_point"
|
||||
+done
|
||||
|
||||
From 36958b72896a69cb580f00a986673c8ae99cb011 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Tue, 9 Feb 2021 12:45:54 +0100
|
||||
Subject: [PATCH 3/5] Add mount_option_nodev_nonroot_local_partitions test
|
||||
scenarios
|
||||
|
||||
---
|
||||
.../tests/correct.pass.sh | 23 +++++++++++++++++
|
||||
.../local_mounted_during_runtime.fail.sh | 19 ++++++++++++++
|
||||
.../tests/missing_multiple_nodev.fail.sh | 23 +++++++++++++++++
|
||||
.../tests/missing_one_nodev.fail.sh | 23 +++++++++++++++++
|
||||
.../tests/remote_without_nodev.pass.sh | 25 +++++++++++++++++++
|
||||
5 files changed, 113 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..8bfac4b80f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
||||
@@ -0,0 +1,23 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
|
||||
+mount_partition "/tmp/partition1"
|
||||
+
|
||||
+PARTITION="/dev/new_partition2"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition2" ext2 nodev
|
||||
+mount_partition "/tmp/partition2"
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..84cadd6f73
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
||||
@@ -0,0 +1,19 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+mkdir /tmp/test_dir
|
||||
+mount $PARTITION /tmp/test_dir
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7a09093f46
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
||||
@@ -0,0 +1,23 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition1" ext2
|
||||
+mount_partition "/tmp/partition1"
|
||||
+
|
||||
+PARTITION="/dev/new_partition2"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition2" ext2
|
||||
+mount_partition "/tmp/partition2"
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..c20a98bdcc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
||||
@@ -0,0 +1,23 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
|
||||
+mount_partition "/tmp/partition1"
|
||||
+
|
||||
+PARTITION="/dev/new_partition2"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition2" ext2
|
||||
+mount_partition "/tmp/partition2"
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a95410526f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
||||
@@ -0,0 +1,25 @@
|
||||
+#!/bin/bash
|
||||
+# packages = nfs-utils
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+mkdir /tmp/testdir
|
||||
+mkdir /tmp/testmount
|
||||
+chown 2 /tmp/testdir
|
||||
+chmod 777 /tmp/testdir
|
||||
+
|
||||
+echo '/tmp/testdir localhost(rw)' > /etc/exports
|
||||
+systemctl restart nfs-server
|
||||
+mount.nfs localhost:/tmp/testdir /tmp/testmount
|
||||
|
||||
From b7bec83d7a3ad186413777f70fe2b5d20e01e56b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Feb 2021 18:32:26 +0100
|
||||
Subject: [PATCH 4/5] Add Ansible for
|
||||
mount_option_nodev_nonroot_local_partitions
|
||||
|
||||
The remediation metadata were inspired by the template mount_options
|
||||
---
|
||||
.../ansible/shared.yml | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..8530604308
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
@@ -0,0 +1,18 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = high
|
||||
+
|
||||
+- name: Ensure non-root local partitions are mounted with nodev option
|
||||
+ mount:
|
||||
+ path: "{{ item.mount }}"
|
||||
+ src: "{{ item.device}}"
|
||||
+ opts: "{{ item.options }},nodev"
|
||||
+ state: "mounted"
|
||||
+ fstype: "{{ item.fstype }}"
|
||||
+ when:
|
||||
+ - "item.mount is match('/\\w')"
|
||||
+ - "item.options is not search('nodev')"
|
||||
+ with_items:
|
||||
+ - "{{ ansible_facts.mounts }}"
|
||||
|
||||
From dab22894ca0798dde27c77704a7fd34d62d77f8f Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Feb 2021 20:29:32 +0100
|
||||
Subject: [PATCH 5/5] Add space before and after variable
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
index 8530604308..2aa9a53e4d 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
- name: Ensure non-root local partitions are mounted with nodev option
|
||||
mount:
|
||||
path: "{{ item.mount }}"
|
||||
- src: "{{ item.device}}"
|
||||
+ src: "{{ item.device }}"
|
||||
opts: "{{ item.options }},nodev"
|
||||
state: "mounted"
|
||||
fstype: "{{ item.fstype }}"
|
File diff suppressed because it is too large
Load Diff
@ -1,26 +1,48 @@
|
||||
# Base name of static rhel6 content tarball
|
||||
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.50
|
||||
Release: 6%{?dist}
|
||||
Version: 0.1.54
|
||||
Release: 5%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
Group: Applications/System
|
||||
License: BSD
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Include tarball with last released rhel6 content
|
||||
Source1: %{_static_rhel6_content}.tar.bz2
|
||||
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
|
||||
Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
|
||||
Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
|
||||
Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
|
||||
Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
|
||||
# Patch6 already contains typo fix
|
||||
Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
|
||||
Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
|
||||
Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
|
||||
Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
|
||||
Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
|
||||
Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
|
||||
Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
|
||||
Patch1: scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff
|
||||
Patch2: scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch
|
||||
Patch3: scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch
|
||||
Patch4: scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch
|
||||
Patch5: scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch
|
||||
Patch6: scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch
|
||||
Patch7: scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch
|
||||
Patch8: scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch
|
||||
Patch9: scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch
|
||||
Patch10: scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch
|
||||
Patch11: scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch
|
||||
Patch12: scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch
|
||||
Patch13: scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch
|
||||
Patch14: scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch
|
||||
Patch15: scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch
|
||||
Patch16: scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch
|
||||
Patch17: scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch
|
||||
Patch18: scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch
|
||||
Patch19: scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch
|
||||
Patch20: scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch
|
||||
Patch21: scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch
|
||||
Patch22: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r1_update-PR_6538.patch
|
||||
Patch23: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r2_update-PR_6607.patch
|
||||
Patch24: scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch
|
||||
Patch25: scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch
|
||||
Patch26: scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch
|
||||
Patch27: scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch
|
||||
# Untill ANSSI High profile is shipped we drop the ks too
|
||||
Patch28: remove-ANSSI-high-ks.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
||||
@ -53,7 +75,7 @@ hardening guidances that have been generated from XCCDF benchmarks
|
||||
present in %{name} package.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%setup -q -b 1
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
@ -67,13 +89,28 @@ present in %{name} package.
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28 -p1
|
||||
mkdir build
|
||||
|
||||
%build
|
||||
cd build
|
||||
%cmake \
|
||||
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
|
||||
-DSSG_PRODUCT_RHEL6:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
|
||||
@ -86,6 +123,11 @@ cd build
|
||||
cd build
|
||||
%make_install
|
||||
|
||||
# Manually install pre-built rhel6 content
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
|
||||
|
||||
%files
|
||||
%{_datadir}/xml/scap/ssg/content
|
||||
%{_datadir}/%{name}/kickstart
|
||||
@ -101,6 +143,70 @@ cd build
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%changelog
|
||||
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
|
||||
- Remove Kickstart for not shipped profile (RHBZ#1778188)
|
||||
|
||||
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
|
||||
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
|
||||
|
||||
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
|
||||
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
|
||||
|
||||
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
|
||||
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
|
||||
|
||||
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
|
||||
- Update to the latest upstream release (RHBZ#1889344)
|
||||
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
|
||||
|
||||
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
|
||||
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
|
||||
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
|
||||
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
|
||||
|
||||
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
|
||||
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
|
||||
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
|
||||
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
|
||||
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
|
||||
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
|
||||
|
||||
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
|
||||
- Update list of profiles built (RHBZ#1889344)
|
||||
|
||||
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
|
||||
- Update to the latest upstream release (RHBZ#1889344)
|
||||
|
||||
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
|
||||
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
|
||||
|
||||
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
|
||||
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
|
||||
|
||||
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
|
||||
- remove rationale from rules that contain defective links (rhbz#1854854)
|
||||
|
||||
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
|
||||
- fixed link in a grub2 rule description (rhbz#1854854)
|
||||
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
|
||||
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
|
||||
|
||||
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
|
||||
- Update the scapval invocation (RHBZ#1815007)
|
||||
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
|
||||
- Change the spec file macro invocation from patch to Patch
|
||||
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
|
||||
|
||||
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
|
||||
- fix description of HIPAA profile (RHBZ#1867559)
|
||||
|
||||
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
|
||||
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
|
||||
- Remove CCM from TLS Ciphersuites
|
||||
|
||||
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
|
||||
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
|
||||
|
||||
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
|
||||
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user