>Port 8.5 changes to the package to RHEL9
Also deal with missing CCE issues. Resolves: rhbz#1962564
This commit is contained in:
parent
5f5226d27a
commit
a300600b35
693
scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch
Normal file
693
scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch
Normal file
@ -0,0 +1,693 @@
|
||||
From 6006e997000ab19aa59df24b074feb285ec4e586 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 11 May 2021 17:14:24 +0200
|
||||
Subject: [PATCH 1/6] Update ANSSI metadata for High level hardening
|
||||
|
||||
---
|
||||
controls/anssi.yml | 15 +++++++++++----
|
||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 2053de05c0..e9b9f1b803 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -70,6 +70,10 @@ controls:
|
||||
It is recommended to use the mandatory access control (MAC) features in
|
||||
addition to the traditional Unix user model (DAC), or possibly combine
|
||||
them with partitioning mechanisms.
|
||||
+ notes: >-
|
||||
+ Other partitioning mechanisms can include chroot and containers and are not contemplated
|
||||
+ in this requirement.
|
||||
+ automated: partially
|
||||
rules:
|
||||
- selinux_state
|
||||
- var_selinux_state=enforcing
|
||||
@@ -161,6 +165,7 @@ controls:
|
||||
The iommu = force directive must be added to the list of kernel parameters
|
||||
during startup in addition to those already present in the configuration
|
||||
files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).
|
||||
+ automated: yes
|
||||
rules:
|
||||
- grub2_enable_iommu_force
|
||||
|
||||
@@ -837,8 +842,8 @@ controls:
|
||||
not locally stored in clear), or possibly stored on a separate machine
|
||||
of the one on which the sealing is done.
|
||||
Check section "Database and config signing in AIDE manual"
|
||||
- https://github.com/aide/aide/blob/master/doc/manual.html
|
||||
- # rules: TBD
|
||||
+ https://aide.github.io/doc/#signing
|
||||
+ automated: no
|
||||
|
||||
- id: R53
|
||||
level: enhanced
|
||||
@@ -946,7 +951,7 @@ controls:
|
||||
title: Enable AppArmor security profiles
|
||||
description: >-
|
||||
All AppArmor security profiles on the system must be enabled by default.
|
||||
- # rules: TBD
|
||||
+ automated: no
|
||||
|
||||
- id: R66
|
||||
level: high
|
||||
@@ -990,6 +995,7 @@ controls:
|
||||
description: >-
|
||||
SELinux policy manipulation and debugging tools should not be installed
|
||||
on a machine in production.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- package_setroubleshoot_removed
|
||||
- package_setroubleshoot-server_removed
|
||||
@@ -1000,4 +1006,5 @@ controls:
|
||||
title: Confining interactive non-privileged users
|
||||
description: >-
|
||||
Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user.
|
||||
- # rules: TBD
|
||||
+ notes: Interactive users who still need to perform administrative tasks should not be confined with user_u.
|
||||
+ automated: no
|
||||
|
||||
From 98c310f893c31fb828c7ee17f9f8c7f7f11dde7a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 11 May 2021 17:31:11 +0200
|
||||
Subject: [PATCH 2/6] Update metadata of other ANSSI hardening levels
|
||||
|
||||
---
|
||||
controls/anssi.yml | 91 ++++++++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 75 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index e9b9f1b803..291af65f58 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -19,8 +19,10 @@ controls:
|
||||
Those whose presence can not be justified should be disabled, removed or deleted.
|
||||
automated: partially # The list of essential services is not objective.
|
||||
notes: >-
|
||||
- Use of obsolete or insecure services is not recommended.
|
||||
- The minimal install is a good starting point, but this doesn't provide any assurance over any package installed later.
|
||||
+ Manual review is required to assess if the installed services are minimal.
|
||||
+ In general, use of obsolete or insecure services is not recommended.
|
||||
+ Performing a minimal install is a good starting point, but doesn't provide any assurance
|
||||
+ over any package installed later.
|
||||
rules:
|
||||
- package_dhcp_removed
|
||||
#- package_rsh_removed
|
||||
@@ -45,10 +47,9 @@ controls:
|
||||
problematic from a security point of view.
|
||||
The features configured at the level of launched services should be limited to the strict
|
||||
minimum.
|
||||
+ automated: no
|
||||
notes: >-
|
||||
Define a list of most problematic components or features to be hardened or restricted.
|
||||
- # potential components: sshd, pam, chrony?
|
||||
- # rules: TBD
|
||||
|
||||
- id: R3
|
||||
level: enhanced
|
||||
@@ -109,7 +110,10 @@ controls:
|
||||
Network services should as much as possible be hosted on isolated environments.
|
||||
This avoids having other potentially affected services if one of them gets
|
||||
compromised under the same environment.
|
||||
- #rules: TBD
|
||||
+ notes: >-
|
||||
+ Manual analysis is required to determine if services are hosted appropriately in
|
||||
+ separate or isolated system while maintaining functionality.
|
||||
+ automated: no
|
||||
|
||||
- id: R7
|
||||
level: enhanced
|
||||
@@ -117,6 +121,7 @@ controls:
|
||||
description: >-
|
||||
The activities of the running system and services must be logged and
|
||||
archived on an external, non-local system.
|
||||
+ automated: yes
|
||||
rules:
|
||||
# The default remote loghost is logcollector.
|
||||
# Change the default value to the hostname or IP of the system to send the logs to
|
||||
@@ -235,6 +240,7 @@ controls:
|
||||
notes: >-
|
||||
The rule disabling auto-mount for /boot is commented until the rules checking for other
|
||||
/boot mount options are updated to handle this usecase.
|
||||
+ automated: no
|
||||
#rules:
|
||||
#- mount_option_boot_noauto
|
||||
|
||||
@@ -275,7 +281,7 @@ controls:
|
||||
hardening measures.
|
||||
Between two packages providing the same service, those subject to hardening
|
||||
(at compilation, installation, or default configuration) must be preferred.
|
||||
- #rules: TBD
|
||||
+ automated: no
|
||||
|
||||
- id: R17
|
||||
level: enhanced
|
||||
@@ -283,6 +289,7 @@ controls:
|
||||
description: >-
|
||||
A boot loader to protect the password boot must be to be privileged.
|
||||
This password must prevent any user from changing their configuration options.
|
||||
+ automated: yes # without remediation
|
||||
rules:
|
||||
- grub2_password
|
||||
- grub2_uefi_password
|
||||
@@ -358,12 +365,28 @@ controls:
|
||||
must be set up as soon as the system is installed: account and administration
|
||||
passwords, root authority certificates, public keys, or certificates of the
|
||||
host (and their respective private key).
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ This concerns two aspects, the first is administrative, and involves prompt
|
||||
+ installation of secrets or trusted elements by the sysadmin.
|
||||
+ The second involves removal of any default secret or trusted element
|
||||
+ configured by the operating system during install process, e.g. default
|
||||
+ known passwords.
|
||||
+ automated: no
|
||||
|
||||
- id: R21
|
||||
level: intermediary
|
||||
title: Hardening and monitoring of services subject to arbitrary flows
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ SELinux can provide confinement and monitoring of services, and AIDE provides
|
||||
+ basic integrity checking. System logs are configured as part of R43.
|
||||
+ Hardening of particular services should be done on a case by case basis and is
|
||||
+ not automated by this content.
|
||||
+ automated: partially
|
||||
+ rules:
|
||||
+ - selinux_state
|
||||
+ - var_selinux_state=enforcing
|
||||
+ - package_aide_installed
|
||||
+ - aide_build_database
|
||||
|
||||
- id: R22
|
||||
level: intermediary
|
||||
@@ -535,6 +558,7 @@ controls:
|
||||
sysctl kernel.modules_disabledconf:
|
||||
Prohibition of loading modules (except those already loaded to this point)
|
||||
kernel.modules_disabled = 1
|
||||
+ automated: yes # without remediation
|
||||
rules:
|
||||
- sysctl_kernel_modules_disabled
|
||||
|
||||
@@ -545,6 +569,7 @@ controls:
|
||||
It is recommended to load the Yama security module at startup (by example
|
||||
passing the security = yama argument to the kernel) and configure the
|
||||
sysctl kernel.yama.ptrace_scope to a value of at least 1.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sysctl_kernel_yama_ptrace_scope
|
||||
|
||||
@@ -553,13 +578,19 @@ controls:
|
||||
title: Disabling unused user accounts
|
||||
description: >-
|
||||
Unused user accounts must be disabled at the system level.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ The definition of unused user accounts is broad. It can include accounts
|
||||
+ whose owners don't use the system anymore, or users created by services
|
||||
+ or applicatons that should not be used.
|
||||
+ automated: no
|
||||
|
||||
- id: R27
|
||||
title: Disabling service accounts
|
||||
level: intermediary
|
||||
notes: >-
|
||||
It is difficult to generally identify the system's service accounts.
|
||||
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ are not enforced by the OS and can be changed over time.
|
||||
Assisting rules could list users which are not disabled for manual review.
|
||||
automated: no
|
||||
|
||||
@@ -568,7 +599,11 @@ controls:
|
||||
title: Uniqueness and exclusivity of system service accounts
|
||||
description: >-
|
||||
Each service must have its own system account and be dedicated to it exclusively.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ It is not trivial to identify wether a user account is a service account.
|
||||
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ are not enforced by the OS and can be changed over time.
|
||||
+ automated: no
|
||||
|
||||
- id: R29
|
||||
level: enhanced
|
||||
@@ -778,6 +813,7 @@ controls:
|
||||
description: >-
|
||||
The syslog services must be isolated from the rest of the system in a
|
||||
dedicated container.
|
||||
+ automated: no
|
||||
# rules: TBD
|
||||
|
||||
- id: R46
|
||||
@@ -825,6 +861,7 @@ controls:
|
||||
This includes: directories containing executables, libraries,
|
||||
configuration files, as well as any files that may contain sensitive
|
||||
elements (cryptographic keys, passwords, confidential data).
|
||||
+ automated: yes
|
||||
rules:
|
||||
- package_aide_installed
|
||||
- aide_build_database
|
||||
@@ -851,7 +888,12 @@ controls:
|
||||
description: >-
|
||||
The deployed services must have their access restricted to the system
|
||||
strict minimum, especially when it comes to files, processes or network.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ SELinux policies limit the privileges of services and daemons to only what they require.
|
||||
+ automated: partially
|
||||
+ rules:
|
||||
+ - selinux_policytype
|
||||
+ - var_selinux_policy_name=targeted
|
||||
|
||||
- id: R54
|
||||
level: enhanced
|
||||
@@ -859,17 +901,24 @@ controls:
|
||||
description: >-
|
||||
Each component supporting the virtualization must be hardened, especially
|
||||
by applying technical measures to counter the exploit attempts.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ It may be interesting to point out virtulization components that are installed and
|
||||
+ should be hardened.
|
||||
+ automated: no
|
||||
|
||||
- id: R55
|
||||
level: intermediary
|
||||
title: chroot jail and access right for partitioned service
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Automation to restrict access and chroot services is not generally reliable.
|
||||
+ autmated: no
|
||||
|
||||
- id: R56
|
||||
level: intermediary
|
||||
title: Enablement and usage of chroot by a service
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Automation to restrict access and chroot services is not generally reliable.
|
||||
+ automated: no
|
||||
|
||||
- id: R57
|
||||
level: intermediary
|
||||
@@ -924,7 +973,10 @@ controls:
|
||||
description: >-
|
||||
The commands requiring the execution of sub-processes (EXEC tag) must be
|
||||
explicitly listed and their use should be reduced to a strict minimum.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Human review is required to assess if the commands requiring EXEC is minimal.
|
||||
+ An auxiliary rule could list rules containing EXEC tag, for analysis.
|
||||
+ automated: no
|
||||
|
||||
- id: R62
|
||||
level: intermediary
|
||||
@@ -944,7 +996,13 @@ controls:
|
||||
- id: R64
|
||||
level: intermediary
|
||||
title: Good use of sudoedit
|
||||
- # rules: TBD
|
||||
+ description: A file requiring sudo to be edited, must be edited through the sudoedit command.
|
||||
+ notes: >-
|
||||
+ In R62 we established that the sudoers files should not use negations, thus the approach
|
||||
+ for this requirement is to ensure that sudoedit is the only text editor allowed.
|
||||
+ But it is difficult to ensure that allowed binaries aren't text editors without human
|
||||
+ review.
|
||||
+ automated: no
|
||||
|
||||
- id: R65
|
||||
level: high
|
||||
@@ -959,6 +1017,7 @@ controls:
|
||||
description: >-
|
||||
It is recommended to enable the targeted policy when the distribution
|
||||
support it and that it does not operate another security module than SELinux.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- selinux_policytype
|
||||
- var_selinux_policy_name=targeted
|
||||
|
||||
From 655c8ab2d778f0826cb9cb9f3052bb5d49fcbbc4 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 11 May 2021 17:49:42 +0200
|
||||
Subject: [PATCH 3/6] Undraft RHEL ANSSI High profiles
|
||||
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_high.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index 22efad9c09..560460b55f 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
+title: 'ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index 22efad9c09..560460b55f 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
+title: 'ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
From 227baf32a959a94df241f49016aa23da2917de88 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Yuuma Sato <wsato@redhat.com>
|
||||
Date: Fri, 14 May 2021 10:58:50 +0200
|
||||
Subject: [PATCH 4/6] Fix typos and improve language
|
||||
|
||||
Co-authored-by: vojtapolasek <krecoun@gmail.com>
|
||||
---
|
||||
controls/anssi.yml | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 291af65f58..81d099e98b 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -581,7 +581,7 @@ controls:
|
||||
notes: >-
|
||||
The definition of unused user accounts is broad. It can include accounts
|
||||
whose owners don't use the system anymore, or users created by services
|
||||
- or applicatons that should not be used.
|
||||
+ or applications that should not be used.
|
||||
automated: no
|
||||
|
||||
- id: R27
|
||||
@@ -589,7 +589,7 @@ controls:
|
||||
level: intermediary
|
||||
notes: >-
|
||||
It is difficult to generally identify the system's service accounts.
|
||||
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
|
||||
are not enforced by the OS and can be changed over time.
|
||||
Assisting rules could list users which are not disabled for manual review.
|
||||
automated: no
|
||||
@@ -600,8 +600,8 @@ controls:
|
||||
description: >-
|
||||
Each service must have its own system account and be dedicated to it exclusively.
|
||||
notes: >-
|
||||
- It is not trivial to identify wether a user account is a service account.
|
||||
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ It is not trivial to identify whether a user account is a service account.
|
||||
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
|
||||
are not enforced by the OS and can be changed over time.
|
||||
automated: no
|
||||
|
||||
@@ -889,7 +889,7 @@ controls:
|
||||
The deployed services must have their access restricted to the system
|
||||
strict minimum, especially when it comes to files, processes or network.
|
||||
notes: >-
|
||||
- SELinux policies limit the privileges of services and daemons to only what they require.
|
||||
+ SELinux policies limit the privileges of services and daemons just to those which are required.
|
||||
automated: partially
|
||||
rules:
|
||||
- selinux_policytype
|
||||
@@ -902,7 +902,7 @@ controls:
|
||||
Each component supporting the virtualization must be hardened, especially
|
||||
by applying technical measures to counter the exploit attempts.
|
||||
notes: >-
|
||||
- It may be interesting to point out virtulization components that are installed and
|
||||
+ It may be interesting to point out virtualization components that are installed and
|
||||
should be hardened.
|
||||
automated: no
|
||||
|
||||
@@ -910,14 +910,14 @@ controls:
|
||||
level: intermediary
|
||||
title: chroot jail and access right for partitioned service
|
||||
notes: >-
|
||||
- Automation to restrict access and chroot services is not generally reliable.
|
||||
- autmated: no
|
||||
+ Using automation to restrict access and chroot services is not generally reliable.
|
||||
+ automated: no
|
||||
|
||||
- id: R56
|
||||
level: intermediary
|
||||
title: Enablement and usage of chroot by a service
|
||||
notes: >-
|
||||
- Automation to restrict access and chroot services is not generally reliable.
|
||||
+ Using automation to restrict access and chroot services is not generally reliable.
|
||||
automated: no
|
||||
|
||||
- id: R57
|
||||
@@ -974,7 +974,7 @@ controls:
|
||||
The commands requiring the execution of sub-processes (EXEC tag) must be
|
||||
explicitly listed and their use should be reduced to a strict minimum.
|
||||
notes: >-
|
||||
- Human review is required to assess if the commands requiring EXEC is minimal.
|
||||
+ Human review is required to assess if the set of commands requiring EXEC is minimal.
|
||||
An auxiliary rule could list rules containing EXEC tag, for analysis.
|
||||
automated: no
|
||||
|
||||
|
||||
From 7bf2131e20bcf5a64e21b66afba48008324b058a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 14 May 2021 11:41:30 +0200
|
||||
Subject: [PATCH 5/6] Update R1 notes and selected rule
|
||||
|
||||
---
|
||||
controls/anssi.yml | 28 +++++++++----------
|
||||
.../package_xinetd_removed/rule.yml | 1 +
|
||||
.../nis/package_ypbind_removed/rule.yml | 1 +
|
||||
.../nis/package_ypserv_removed/rule.yml | 1 +
|
||||
.../package_rsh-server_removed/rule.yml | 1 +
|
||||
.../r_services/package_rsh_removed/rule.yml | 1 +
|
||||
.../talk/package_talk-server_removed/rule.yml | 1 +
|
||||
.../talk/package_talk_removed/rule.yml | 1 +
|
||||
.../package_telnet-server_removed/rule.yml | 1 +
|
||||
.../telnet/package_telnet_removed/rule.yml | 1 +
|
||||
.../tftp/package_tftp-server_removed/rule.yml | 1 +
|
||||
.../tftp/package_tftp_removed/rule.yml | 4 +++
|
||||
13 files changed, 28 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 81d099e98b..ebee9c4259 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -19,25 +19,25 @@ controls:
|
||||
Those whose presence can not be justified should be disabled, removed or deleted.
|
||||
automated: partially # The list of essential services is not objective.
|
||||
notes: >-
|
||||
- Manual review is required to assess if the installed services are minimal.
|
||||
- In general, use of obsolete or insecure services is not recommended.
|
||||
Performing a minimal install is a good starting point, but doesn't provide any assurance
|
||||
over any package installed later.
|
||||
+ Manual review is required to assess if the installed services are minimal.
|
||||
+ In general, use of obsolete or insecure services is not recommended and we remove some
|
||||
+ of these in this recommendation.
|
||||
rules:
|
||||
- package_dhcp_removed
|
||||
- #- package_rsh_removed
|
||||
- #- package_rsh-server_removed
|
||||
+ - package_rsh_removed
|
||||
+ - package_rsh-server_removed
|
||||
- package_sendmail_removed
|
||||
- - package_telnetd_removed
|
||||
- #- package_talk_removed
|
||||
- #- package_talk-server_removed
|
||||
- #- package_telnet_removed
|
||||
- #- package_telnet-server_removed
|
||||
- #- package_tftp_removed
|
||||
- #- package_tftp-server_removed
|
||||
- #- package_xinetd_removed
|
||||
- #- package_ypbind_removed
|
||||
- #- package_ypserv_removed
|
||||
+ - package_talk_removed
|
||||
+ - package_talk-server_removed
|
||||
+ - package_telnet_removed
|
||||
+ - package_telnet-server_removed
|
||||
+# - package_tftp_removed
|
||||
+ - package_tftp-server_removed
|
||||
+ - package_xinetd_removed
|
||||
+ - package_ypbind_removed
|
||||
+ - package_ypserv_removed
|
||||
|
||||
- id: R2
|
||||
level: intermediary
|
||||
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||||
index e2431be9c5..9494025449 100644
|
||||
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||||
@@ -18,6 +18,7 @@ identifiers:
|
||||
cce@rhel8: CCE-80850-1
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel8: 2.1.1
|
||||
disa: CCI-000305
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
index 97e27e2a4c..e836dc6fb1 100644
|
||||
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
@@ -24,6 +24,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82181-9
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.1
|
||||
cis@rhel8: 2.3.1
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
index ac1d8e6f4c..7ca7a67e69 100644
|
||||
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82432-6
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-020010
|
||||
cis@rhel7: 2.2.16
|
||||
cis@rhel8: 2.2.17
|
||||
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||||
index 21f4d7bae6..33c36cde67 100644
|
||||
--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82184-3
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-020000
|
||||
disa: CCI-000381
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||||
index c8f4673a3a..dbc6bd7329 100644
|
||||
--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||||
@@ -23,6 +23,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82183-5
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.2
|
||||
cui: 3.1.13
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||||
index 12971558e9..e46e4f55d0 100644
|
||||
--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||||
@@ -18,6 +18,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82180-1
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.2.18
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
|
||||
diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||||
index 68e804ba38..24743fc2d6 100644
|
||||
--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||||
@@ -23,6 +23,7 @@ identifiers:
|
||||
cce@rhel8: CCE-80848-5
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.3
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
|
||||
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
index 7bb5ed5da3..24cf50ff29 100644
|
||||
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
@@ -31,6 +31,7 @@ identifiers:
|
||||
cce@sle15: CCE-83273-3
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-021710
|
||||
cis@rhel7: 2.1.19
|
||||
disa: CCI-000381
|
||||
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||||
index 1b0128ec06..afef488734 100644
|
||||
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||||
@@ -21,6 +21,7 @@ identifiers:
|
||||
cce@rhel8: CCE-80849-3
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.4
|
||||
cis@rhel8: 2.3.2
|
||||
cui: 3.1.13
|
||||
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||||
index 3fcc8db4c8..ca25bb2124 100644
|
||||
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82436-7
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-040700
|
||||
disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814
|
||||
nist: CM-7(a),CM-7(b),CM-6(a)
|
||||
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
|
||||
index c3a501259c..0be9a60d38 100644
|
||||
--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
|
||||
@@ -19,6 +19,10 @@ severity: low
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80443-5
|
||||
+ cce@rhel8: CCE-83590-0
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R1)
|
||||
|
||||
ocil: '{{{ describe_package_remove(package="tftp") }}}'
|
||||
|
||||
From c8124b72c208951b3ac2a4da1f8c64157f6be69b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 14 May 2021 11:43:32 +0200
|
||||
Subject: [PATCH 6/6] Update R5 notes and rule selection
|
||||
|
||||
Note commented rules as related, and potentially useful.
|
||||
---
|
||||
controls/anssi.yml | 16 +++++++++-------
|
||||
1 file changed, 9 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index ebee9c4259..bba7148da9 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -88,20 +88,22 @@ controls:
|
||||
automated: partially
|
||||
notes: >-
|
||||
Defense in-depth can be broadly divided into three areas - physical, technical and
|
||||
- administrative. The security profile is best suitedto protect the technical area.
|
||||
+ administrative. The security profile is best suited to protect the technical area.
|
||||
Among the barriers that can be implemented within the technical area are antivirus software,
|
||||
authentication, multi-factor authentication, encryption, logging, auditing, sandboxing,
|
||||
intrusion detection systems, firewalls and vulnerability scanners.
|
||||
+ The selection below is not in any way exaustive and should be adapted to the system's needs.
|
||||
rules:
|
||||
- #- package_audit_installed
|
||||
- #- service_auditd_enabled
|
||||
- sudo_remove_no_authenticate
|
||||
- package_rsyslog_installed
|
||||
- service_rsyslog_enabled
|
||||
- #- package_ntp_installed
|
||||
- #- package_firewalld_installed
|
||||
- #- service_firewalld_enabled
|
||||
- #- sssd_enable_smartcards
|
||||
+ related_rules:
|
||||
+ - package_audit_installed
|
||||
+ - service_auditd_enabled
|
||||
+ - package_ntp_installed
|
||||
+ - package_firewalld_installed
|
||||
+ - service_firewalld_enabled
|
||||
+ - sssd_enable_smartcards
|
||||
|
||||
- id: R6
|
||||
level: enhanced
|
@ -3053,10 +3053,10 @@ index 00000000000..50548f7e8eb
|
||||
+ - disable_users_coredumps
|
||||
+
|
||||
+ # RHEL-08-010674
|
||||
+ - coredump_disable_storage
|
||||
+# - coredump_disable_storage
|
||||
+
|
||||
+ # RHEL-08-010675
|
||||
+ - coredump_disable_backtraces
|
||||
+# - coredump_disable_backtraces
|
||||
+
|
||||
+ # RHEL-08-010680
|
||||
+# - network_configure_name_resolution # not supported in RHEL9 ATM
|
||||
|
@ -1,22 +1,18 @@
|
||||
# SSG build system and tests count with build directory name `build`.
|
||||
# For more details see:
|
||||
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||
%global _vpath_builddir build
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.56
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
Patch1: scap-security-guide-0.1.57-build-system-pr-7025.patch
|
||||
Patch2: scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch
|
||||
Patch3: scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch
|
||||
Patch4: scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch
|
||||
Patch5: scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch
|
||||
Patch6: scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch
|
||||
Patch7: scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch
|
||||
Patch1: scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch
|
||||
Patch2: scap-security-guide-0.1.57-build-system-pr-7025.patch
|
||||
Patch3: scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch
|
||||
Patch4: scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch
|
||||
Patch5: scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch
|
||||
Patch6: scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch
|
||||
Patch7: scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch
|
||||
Patch8: scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: libxslt
|
||||
@ -49,6 +45,16 @@ The %{name}-doc package contains HTML formatted documents containing
|
||||
hardening guidances that have been generated from XCCDF benchmarks
|
||||
present in %{name} package.
|
||||
|
||||
%if %{defined rhel}
|
||||
%package rule-playbooks
|
||||
Summary: Ansible playbooks per each rule.
|
||||
Group: System Environment/Base
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description rule-playbooks
|
||||
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
|
||||
%endif
|
||||
|
||||
# Temporarily needed to apply the profile stub patch (identifiers were sorted)
|
||||
%global _default_patch_fuzz 1
|
||||
%prep
|
||||
@ -61,6 +67,15 @@ present in %{name} package.
|
||||
-DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF \
|
||||
-DSSG_BASH_SCRIPTS_ENABLED=OFF \
|
||||
-DSSG_BUILD_SCAP_12_DS=OFF
|
||||
%if %{defined centos}
|
||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
|
||||
%else
|
||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||
%endif
|
||||
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||
%if %{defined rhel}
|
||||
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
|
||||
%endif
|
||||
%cmake_build
|
||||
|
||||
%install
|
||||
@ -75,12 +90,26 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
||||
%{_datadir}/%{name}/ansible/*.yml
|
||||
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
|
||||
%doc %{_docdir}/%{name}/LICENSE
|
||||
%if %{defined rhel}
|
||||
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%files doc
|
||||
%doc %{_docdir}/%{name}/guides/*.html
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%if %{defined rhel}
|
||||
%files rule-playbooks
|
||||
%defattr(-,root,root,-)
|
||||
%{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jul 07 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-3
|
||||
- Introduced the playbooks subpackage.
|
||||
- Enabled CentOS content on CentOS systems.
|
||||
- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them.
|
||||
|
||||
* Mon Jun 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
|
||||
- Enable more RHEL9 rules and introduce RHEL9 profile stubs
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user