From a300600b35e7df874dc876bcccbf8b3119ea62fc Mon Sep 17 00:00:00 2001 From: Matej Tyc Date: Wed, 7 Jul 2021 15:12:14 +0200 Subject: [PATCH] >Port 8.5 changes to the package to RHEL9 Also deal with missing CCE issues. Resolves: rhbz#1962564 --- ...-0.1.57-anssi_telnetd_update-PR_6997.patch | 693 ++++++++++++++++++ ...e-0.1.57-rhel9_profile_stubs-PR_7106.patch | 4 +- scap-security-guide.spec | 55 +- 3 files changed, 737 insertions(+), 15 deletions(-) create mode 100644 scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch diff --git a/scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch b/scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch new file mode 100644 index 0000000..a6e478f --- /dev/null +++ b/scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch @@ -0,0 +1,693 @@ +From 6006e997000ab19aa59df24b074feb285ec4e586 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 11 May 2021 17:14:24 +0200 +Subject: [PATCH 1/6] Update ANSSI metadata for High level hardening + +--- + controls/anssi.yml | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index 2053de05c0..e9b9f1b803 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -70,6 +70,10 @@ controls: + It is recommended to use the mandatory access control (MAC) features in + addition to the traditional Unix user model (DAC), or possibly combine + them with partitioning mechanisms. ++ notes: >- ++ Other partitioning mechanisms can include chroot and containers and are not contemplated ++ in this requirement. ++ automated: partially + rules: + - selinux_state + - var_selinux_state=enforcing +@@ -161,6 +165,7 @@ controls: + The iommu = force directive must be added to the list of kernel parameters + during startup in addition to those already present in the configuration + files of the bootloader (/boot/grub/menu.lst or /etc/default/grub). ++ automated: yes + rules: + - grub2_enable_iommu_force + +@@ -837,8 +842,8 @@ controls: + not locally stored in clear), or possibly stored on a separate machine + of the one on which the sealing is done. + Check section "Database and config signing in AIDE manual" +- https://github.com/aide/aide/blob/master/doc/manual.html +- # rules: TBD ++ https://aide.github.io/doc/#signing ++ automated: no + + - id: R53 + level: enhanced +@@ -946,7 +951,7 @@ controls: + title: Enable AppArmor security profiles + description: >- + All AppArmor security profiles on the system must be enabled by default. +- # rules: TBD ++ automated: no + + - id: R66 + level: high +@@ -990,6 +995,7 @@ controls: + description: >- + SELinux policy manipulation and debugging tools should not be installed + on a machine in production. ++ automated: yes + rules: + - package_setroubleshoot_removed + - package_setroubleshoot-server_removed +@@ -1000,4 +1006,5 @@ controls: + title: Confining interactive non-privileged users + description: >- + Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user. +- # rules: TBD ++ notes: Interactive users who still need to perform administrative tasks should not be confined with user_u. ++ automated: no + +From 98c310f893c31fb828c7ee17f9f8c7f7f11dde7a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 11 May 2021 17:31:11 +0200 +Subject: [PATCH 2/6] Update metadata of other ANSSI hardening levels + +--- + controls/anssi.yml | 91 ++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 75 insertions(+), 16 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index e9b9f1b803..291af65f58 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -19,8 +19,10 @@ controls: + Those whose presence can not be justified should be disabled, removed or deleted. + automated: partially # The list of essential services is not objective. + notes: >- +- Use of obsolete or insecure services is not recommended. +- The minimal install is a good starting point, but this doesn't provide any assurance over any package installed later. ++ Manual review is required to assess if the installed services are minimal. ++ In general, use of obsolete or insecure services is not recommended. ++ Performing a minimal install is a good starting point, but doesn't provide any assurance ++ over any package installed later. + rules: + - package_dhcp_removed + #- package_rsh_removed +@@ -45,10 +47,9 @@ controls: + problematic from a security point of view. + The features configured at the level of launched services should be limited to the strict + minimum. ++ automated: no + notes: >- + Define a list of most problematic components or features to be hardened or restricted. +- # potential components: sshd, pam, chrony? +- # rules: TBD + + - id: R3 + level: enhanced +@@ -109,7 +110,10 @@ controls: + Network services should as much as possible be hosted on isolated environments. + This avoids having other potentially affected services if one of them gets + compromised under the same environment. +- #rules: TBD ++ notes: >- ++ Manual analysis is required to determine if services are hosted appropriately in ++ separate or isolated system while maintaining functionality. ++ automated: no + + - id: R7 + level: enhanced +@@ -117,6 +121,7 @@ controls: + description: >- + The activities of the running system and services must be logged and + archived on an external, non-local system. ++ automated: yes + rules: + # The default remote loghost is logcollector. + # Change the default value to the hostname or IP of the system to send the logs to +@@ -235,6 +240,7 @@ controls: + notes: >- + The rule disabling auto-mount for /boot is commented until the rules checking for other + /boot mount options are updated to handle this usecase. ++ automated: no + #rules: + #- mount_option_boot_noauto + +@@ -275,7 +281,7 @@ controls: + hardening measures. + Between two packages providing the same service, those subject to hardening + (at compilation, installation, or default configuration) must be preferred. +- #rules: TBD ++ automated: no + + - id: R17 + level: enhanced +@@ -283,6 +289,7 @@ controls: + description: >- + A boot loader to protect the password boot must be to be privileged. + This password must prevent any user from changing their configuration options. ++ automated: yes # without remediation + rules: + - grub2_password + - grub2_uefi_password +@@ -358,12 +365,28 @@ controls: + must be set up as soon as the system is installed: account and administration + passwords, root authority certificates, public keys, or certificates of the + host (and their respective private key). +- # rules: TBD ++ notes: >- ++ This concerns two aspects, the first is administrative, and involves prompt ++ installation of secrets or trusted elements by the sysadmin. ++ The second involves removal of any default secret or trusted element ++ configured by the operating system during install process, e.g. default ++ known passwords. ++ automated: no + + - id: R21 + level: intermediary + title: Hardening and monitoring of services subject to arbitrary flows +- # rules: TBD ++ notes: >- ++ SELinux can provide confinement and monitoring of services, and AIDE provides ++ basic integrity checking. System logs are configured as part of R43. ++ Hardening of particular services should be done on a case by case basis and is ++ not automated by this content. ++ automated: partially ++ rules: ++ - selinux_state ++ - var_selinux_state=enforcing ++ - package_aide_installed ++ - aide_build_database + + - id: R22 + level: intermediary +@@ -535,6 +558,7 @@ controls: + sysctl kernel.modules_disabledconf: + Prohibition of loading modules (except those already loaded to this point) + kernel.modules_disabled = 1 ++ automated: yes # without remediation + rules: + - sysctl_kernel_modules_disabled + +@@ -545,6 +569,7 @@ controls: + It is recommended to load the Yama security module at startup (by example + passing the security = yama argument to the kernel) and configure the + sysctl kernel.yama.ptrace_scope to a value of at least 1. ++ automated: yes + rules: + - sysctl_kernel_yama_ptrace_scope + +@@ -553,13 +578,19 @@ controls: + title: Disabling unused user accounts + description: >- + Unused user accounts must be disabled at the system level. +- # rules: TBD ++ notes: >- ++ The definition of unused user accounts is broad. It can include accounts ++ whose owners don't use the system anymore, or users created by services ++ or applicatons that should not be used. ++ automated: no + + - id: R27 + title: Disabling service accounts + level: intermediary + notes: >- + It is difficult to generally identify the system's service accounts. ++ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values ++ are not enforced by the OS and can be changed over time. + Assisting rules could list users which are not disabled for manual review. + automated: no + +@@ -568,7 +599,11 @@ controls: + title: Uniqueness and exclusivity of system service accounts + description: >- + Each service must have its own system account and be dedicated to it exclusively. +- # rules: TBD ++ notes: >- ++ It is not trivial to identify wether a user account is a service account. ++ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values ++ are not enforced by the OS and can be changed over time. ++ automated: no + + - id: R29 + level: enhanced +@@ -778,6 +813,7 @@ controls: + description: >- + The syslog services must be isolated from the rest of the system in a + dedicated container. ++ automated: no + # rules: TBD + + - id: R46 +@@ -825,6 +861,7 @@ controls: + This includes: directories containing executables, libraries, + configuration files, as well as any files that may contain sensitive + elements (cryptographic keys, passwords, confidential data). ++ automated: yes + rules: + - package_aide_installed + - aide_build_database +@@ -851,7 +888,12 @@ controls: + description: >- + The deployed services must have their access restricted to the system + strict minimum, especially when it comes to files, processes or network. +- # rules: TBD ++ notes: >- ++ SELinux policies limit the privileges of services and daemons to only what they require. ++ automated: partially ++ rules: ++ - selinux_policytype ++ - var_selinux_policy_name=targeted + + - id: R54 + level: enhanced +@@ -859,17 +901,24 @@ controls: + description: >- + Each component supporting the virtualization must be hardened, especially + by applying technical measures to counter the exploit attempts. +- # rules: TBD ++ notes: >- ++ It may be interesting to point out virtulization components that are installed and ++ should be hardened. ++ automated: no + + - id: R55 + level: intermediary + title: chroot jail and access right for partitioned service +- # rules: TBD ++ notes: >- ++ Automation to restrict access and chroot services is not generally reliable. ++ autmated: no + + - id: R56 + level: intermediary + title: Enablement and usage of chroot by a service +- # rules: TBD ++ notes: >- ++ Automation to restrict access and chroot services is not generally reliable. ++ automated: no + + - id: R57 + level: intermediary +@@ -924,7 +973,10 @@ controls: + description: >- + The commands requiring the execution of sub-processes (EXEC tag) must be + explicitly listed and their use should be reduced to a strict minimum. +- # rules: TBD ++ notes: >- ++ Human review is required to assess if the commands requiring EXEC is minimal. ++ An auxiliary rule could list rules containing EXEC tag, for analysis. ++ automated: no + + - id: R62 + level: intermediary +@@ -944,7 +996,13 @@ controls: + - id: R64 + level: intermediary + title: Good use of sudoedit +- # rules: TBD ++ description: A file requiring sudo to be edited, must be edited through the sudoedit command. ++ notes: >- ++ In R62 we established that the sudoers files should not use negations, thus the approach ++ for this requirement is to ensure that sudoedit is the only text editor allowed. ++ But it is difficult to ensure that allowed binaries aren't text editors without human ++ review. ++ automated: no + + - id: R65 + level: high +@@ -959,6 +1017,7 @@ controls: + description: >- + It is recommended to enable the targeted policy when the distribution + support it and that it does not operate another security module than SELinux. ++ automated: yes + rules: + - selinux_policytype + - var_selinux_policy_name=targeted + +From 655c8ab2d778f0826cb9cb9f3052bb5d49fcbbc4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 11 May 2021 17:49:42 +0200 +Subject: [PATCH 3/6] Undraft RHEL ANSSI High profiles + +--- + rhel7/profiles/anssi_nt28_high.profile | 2 +- + rhel8/profiles/anssi_bp28_high.profile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile +index 22efad9c09..560460b55f 100644 +--- a/rhel7/profiles/anssi_nt28_high.profile ++++ b/rhel7/profiles/anssi_nt28_high.profile +@@ -1,6 +1,6 @@ + documentation_complete: true + +-title: 'DRAFT - ANSSI-BP-028 (high)' ++title: 'ANSSI-BP-028 (high)' + + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. +diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile +index 22efad9c09..560460b55f 100644 +--- a/rhel8/profiles/anssi_bp28_high.profile ++++ b/rhel8/profiles/anssi_bp28_high.profile +@@ -1,6 +1,6 @@ + documentation_complete: true + +-title: 'DRAFT - ANSSI-BP-028 (high)' ++title: 'ANSSI-BP-028 (high)' + + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. + +From 227baf32a959a94df241f49016aa23da2917de88 Mon Sep 17 00:00:00 2001 +From: Watson Yuuma Sato +Date: Fri, 14 May 2021 10:58:50 +0200 +Subject: [PATCH 4/6] Fix typos and improve language + +Co-authored-by: vojtapolasek +--- + controls/anssi.yml | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index 291af65f58..81d099e98b 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -581,7 +581,7 @@ controls: + notes: >- + The definition of unused user accounts is broad. It can include accounts + whose owners don't use the system anymore, or users created by services +- or applicatons that should not be used. ++ or applications that should not be used. + automated: no + + - id: R27 +@@ -589,7 +589,7 @@ controls: + level: intermediary + notes: >- + It is difficult to generally identify the system's service accounts. +- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values ++ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values + are not enforced by the OS and can be changed over time. + Assisting rules could list users which are not disabled for manual review. + automated: no +@@ -600,8 +600,8 @@ controls: + description: >- + Each service must have its own system account and be dedicated to it exclusively. + notes: >- +- It is not trivial to identify wether a user account is a service account. +- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values ++ It is not trivial to identify whether a user account is a service account. ++ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values + are not enforced by the OS and can be changed over time. + automated: no + +@@ -889,7 +889,7 @@ controls: + The deployed services must have their access restricted to the system + strict minimum, especially when it comes to files, processes or network. + notes: >- +- SELinux policies limit the privileges of services and daemons to only what they require. ++ SELinux policies limit the privileges of services and daemons just to those which are required. + automated: partially + rules: + - selinux_policytype +@@ -902,7 +902,7 @@ controls: + Each component supporting the virtualization must be hardened, especially + by applying technical measures to counter the exploit attempts. + notes: >- +- It may be interesting to point out virtulization components that are installed and ++ It may be interesting to point out virtualization components that are installed and + should be hardened. + automated: no + +@@ -910,14 +910,14 @@ controls: + level: intermediary + title: chroot jail and access right for partitioned service + notes: >- +- Automation to restrict access and chroot services is not generally reliable. +- autmated: no ++ Using automation to restrict access and chroot services is not generally reliable. ++ automated: no + + - id: R56 + level: intermediary + title: Enablement and usage of chroot by a service + notes: >- +- Automation to restrict access and chroot services is not generally reliable. ++ Using automation to restrict access and chroot services is not generally reliable. + automated: no + + - id: R57 +@@ -974,7 +974,7 @@ controls: + The commands requiring the execution of sub-processes (EXEC tag) must be + explicitly listed and their use should be reduced to a strict minimum. + notes: >- +- Human review is required to assess if the commands requiring EXEC is minimal. ++ Human review is required to assess if the set of commands requiring EXEC is minimal. + An auxiliary rule could list rules containing EXEC tag, for analysis. + automated: no + + +From 7bf2131e20bcf5a64e21b66afba48008324b058a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 14 May 2021 11:41:30 +0200 +Subject: [PATCH 5/6] Update R1 notes and selected rule + +--- + controls/anssi.yml | 28 +++++++++---------- + .../package_xinetd_removed/rule.yml | 1 + + .../nis/package_ypbind_removed/rule.yml | 1 + + .../nis/package_ypserv_removed/rule.yml | 1 + + .../package_rsh-server_removed/rule.yml | 1 + + .../r_services/package_rsh_removed/rule.yml | 1 + + .../talk/package_talk-server_removed/rule.yml | 1 + + .../talk/package_talk_removed/rule.yml | 1 + + .../package_telnet-server_removed/rule.yml | 1 + + .../telnet/package_telnet_removed/rule.yml | 1 + + .../tftp/package_tftp-server_removed/rule.yml | 1 + + .../tftp/package_tftp_removed/rule.yml | 4 +++ + 13 files changed, 28 insertions(+), 15 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index 81d099e98b..ebee9c4259 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -19,25 +19,25 @@ controls: + Those whose presence can not be justified should be disabled, removed or deleted. + automated: partially # The list of essential services is not objective. + notes: >- +- Manual review is required to assess if the installed services are minimal. +- In general, use of obsolete or insecure services is not recommended. + Performing a minimal install is a good starting point, but doesn't provide any assurance + over any package installed later. ++ Manual review is required to assess if the installed services are minimal. ++ In general, use of obsolete or insecure services is not recommended and we remove some ++ of these in this recommendation. + rules: + - package_dhcp_removed +- #- package_rsh_removed +- #- package_rsh-server_removed ++ - package_rsh_removed ++ - package_rsh-server_removed + - package_sendmail_removed +- - package_telnetd_removed +- #- package_talk_removed +- #- package_talk-server_removed +- #- package_telnet_removed +- #- package_telnet-server_removed +- #- package_tftp_removed +- #- package_tftp-server_removed +- #- package_xinetd_removed +- #- package_ypbind_removed +- #- package_ypserv_removed ++ - package_talk_removed ++ - package_talk-server_removed ++ - package_telnet_removed ++ - package_telnet-server_removed ++# - package_tftp_removed ++ - package_tftp-server_removed ++ - package_xinetd_removed ++ - package_ypbind_removed ++ - package_ypserv_removed + + - id: R2 + level: intermediary +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +index e2431be9c5..9494025449 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +@@ -18,6 +18,7 @@ identifiers: + cce@rhel8: CCE-80850-1 + + references: ++ anssi: BP28(R1) + cis@rhel8: 2.1.1 + disa: CCI-000305 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) +diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +index 97e27e2a4c..e836dc6fb1 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +@@ -24,6 +24,7 @@ identifiers: + cce@rhel8: CCE-82181-9 + + references: ++ anssi: BP28(R1) + cis@rhel7: 2.3.1 + cis@rhel8: 2.3.1 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) +diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +index ac1d8e6f4c..7ca7a67e69 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +@@ -22,6 +22,7 @@ identifiers: + cce@rhel8: CCE-82432-6 + + references: ++ anssi: BP28(R1) + stigid@ol7: OL07-00-020010 + cis@rhel7: 2.2.16 + cis@rhel8: 2.2.17 +diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +index 21f4d7bae6..33c36cde67 100644 +--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +@@ -22,6 +22,7 @@ identifiers: + cce@rhel8: CCE-82184-3 + + references: ++ anssi: BP28(R1) + stigid@ol7: OL07-00-020000 + disa: CCI-000381 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) +diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +index c8f4673a3a..dbc6bd7329 100644 +--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +@@ -23,6 +23,7 @@ identifiers: + cce@rhel8: CCE-82183-5 + + references: ++ anssi: BP28(R1) + cis@rhel7: 2.3.2 + cui: 3.1.13 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) +diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +index 12971558e9..e46e4f55d0 100644 +--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +@@ -18,6 +18,7 @@ identifiers: + cce@rhel8: CCE-82180-1 + + references: ++ anssi: BP28(R1) + cis@rhel7: 2.2.18 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) + +diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +index 68e804ba38..24743fc2d6 100644 +--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +@@ -23,6 +23,7 @@ identifiers: + cce@rhel8: CCE-80848-5 + + references: ++ anssi: BP28(R1) + cis@rhel7: 2.3.3 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) + +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +index 7bb5ed5da3..24cf50ff29 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +@@ -31,6 +31,7 @@ identifiers: + cce@sle15: CCE-83273-3 + + references: ++ anssi: BP28(R1) + stigid@ol7: OL07-00-021710 + cis@rhel7: 2.1.19 + disa: CCI-000381 +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +index 1b0128ec06..afef488734 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +@@ -21,6 +21,7 @@ identifiers: + cce@rhel8: CCE-80849-3 + + references: ++ anssi: BP28(R1) + cis@rhel7: 2.3.4 + cis@rhel8: 2.3.2 + cui: 3.1.13 +diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +index 3fcc8db4c8..ca25bb2124 100644 +--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +@@ -22,6 +22,7 @@ identifiers: + cce@rhel8: CCE-82436-7 + + references: ++ anssi: BP28(R1) + stigid@ol7: OL07-00-040700 + disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814 + nist: CM-7(a),CM-7(b),CM-6(a) +diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +index c3a501259c..0be9a60d38 100644 +--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +@@ -19,6 +19,10 @@ severity: low + + identifiers: + cce@rhel7: CCE-80443-5 ++ cce@rhel8: CCE-83590-0 ++ ++references: ++ anssi: BP28(R1) + + ocil: '{{{ describe_package_remove(package="tftp") }}}' + +From c8124b72c208951b3ac2a4da1f8c64157f6be69b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 14 May 2021 11:43:32 +0200 +Subject: [PATCH 6/6] Update R5 notes and rule selection + +Note commented rules as related, and potentially useful. +--- + controls/anssi.yml | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index ebee9c4259..bba7148da9 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -88,20 +88,22 @@ controls: + automated: partially + notes: >- + Defense in-depth can be broadly divided into three areas - physical, technical and +- administrative. The security profile is best suitedto protect the technical area. ++ administrative. The security profile is best suited to protect the technical area. + Among the barriers that can be implemented within the technical area are antivirus software, + authentication, multi-factor authentication, encryption, logging, auditing, sandboxing, + intrusion detection systems, firewalls and vulnerability scanners. ++ The selection below is not in any way exaustive and should be adapted to the system's needs. + rules: +- #- package_audit_installed +- #- service_auditd_enabled + - sudo_remove_no_authenticate + - package_rsyslog_installed + - service_rsyslog_enabled +- #- package_ntp_installed +- #- package_firewalld_installed +- #- service_firewalld_enabled +- #- sssd_enable_smartcards ++ related_rules: ++ - package_audit_installed ++ - service_auditd_enabled ++ - package_ntp_installed ++ - package_firewalld_installed ++ - service_firewalld_enabled ++ - sssd_enable_smartcards + + - id: R6 + level: enhanced diff --git a/scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch b/scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch index 97a5f1e..4f953b8 100644 --- a/scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch +++ b/scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch @@ -3053,10 +3053,10 @@ index 00000000000..50548f7e8eb + - disable_users_coredumps + + # RHEL-08-010674 -+ - coredump_disable_storage ++# - coredump_disable_storage + + # RHEL-08-010675 -+ - coredump_disable_backtraces ++# - coredump_disable_backtraces + + # RHEL-08-010680 +# - network_configure_name_resolution # not supported in RHEL9 ATM diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 1f2b8d5..6f6c263 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,22 +1,18 @@ -# SSG build system and tests count with build directory name `build`. -# For more details see: -# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds -%global _vpath_builddir build - Name: scap-security-guide Version: 0.1.56 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 -Patch1: scap-security-guide-0.1.57-build-system-pr-7025.patch -Patch2: scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch -Patch3: scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch -Patch4: scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch -Patch5: scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch -Patch6: scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch -Patch7: scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch +Patch1: scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch +Patch2: scap-security-guide-0.1.57-build-system-pr-7025.patch +Patch3: scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch +Patch4: scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch +Patch5: scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch +Patch6: scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch +Patch7: scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch +Patch8: scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch BuildArch: noarch BuildRequires: libxslt @@ -49,6 +45,16 @@ The %{name}-doc package contains HTML formatted documents containing hardening guidances that have been generated from XCCDF benchmarks present in %{name} package. +%if %{defined rhel} +%package rule-playbooks +Summary: Ansible playbooks per each rule. +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description rule-playbooks +The %{name}-rule-playbooks package contains individual ansible playbooks per rule. +%endif + # Temporarily needed to apply the profile stub patch (identifiers were sorted) %global _default_patch_fuzz 1 %prep @@ -61,6 +67,15 @@ present in %{name} package. -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF \ -DSSG_BASH_SCRIPTS_ENABLED=OFF \ -DSSG_BUILD_SCAP_12_DS=OFF +%if %{defined centos} +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ +%else +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ +%endif +-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \ +%if %{defined rhel} +-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \ +%endif %cmake_build %install @@ -75,12 +90,26 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %{_datadir}/%{name}/ansible/*.yml %lang(en) %{_mandir}/man8/scap-security-guide.8.* %doc %{_docdir}/%{name}/LICENSE +%if %{defined rhel} +%exclude %{_datadir}/%{name}/ansible/rule_playbooks +%endif %files doc %doc %{_docdir}/%{name}/guides/*.html %doc %{_docdir}/%{name}/tables/*.html +%if %{defined rhel} +%files rule-playbooks +%defattr(-,root,root,-) +%{_datadir}/%{name}/ansible/rule_playbooks +%endif + %changelog +* Wed Jul 07 2021 Matej Tyc - 0.1.56-3 +- Introduced the playbooks subpackage. +- Enabled CentOS content on CentOS systems. +- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them. + * Mon Jun 28 2021 Matej Tyc - 0.1.56-2 - Enable more RHEL9 rules and introduce RHEL9 profile stubs