import scap-security-guide-0.1.72-1.el9_3
This commit is contained in:
parent
e3c93e813d
commit
ab99ffc225
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/scap-security-guide-0.1.69.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.72.tar.bz2
|
||||
|
@ -1 +1 @@
|
||||
60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2
|
||||
e10feed870a3553b75798fbee88c27c95b84c7c2 SOURCES/scap-security-guide-0.1.72.tar.bz2
|
||||
|
@ -1,91 +0,0 @@
|
||||
From d98cffdc7ebd3c266e71ead933d401188ef0d66a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 5 Dec 2023 16:05:37 +0100
|
||||
Subject: [PATCH 07/14] Add rule `package_s-nail-installed`
|
||||
|
||||
Patch-name: scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
|
||||
Patch-status: Add rule `package_s-nail-installed`
|
||||
---
|
||||
components/s-nail.yml | 5 +++
|
||||
.../srg_gpos/SRG-OS-000363-GPOS-00150.yml | 1 +
|
||||
.../mail/package_s-nail_installed/rule.yml | 33 +++++++++++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
4 files changed, 39 insertions(+), 1 deletion(-)
|
||||
create mode 100644 components/s-nail.yml
|
||||
create mode 100644 linux_os/guide/services/mail/package_s-nail_installed/rule.yml
|
||||
|
||||
diff --git a/components/s-nail.yml b/components/s-nail.yml
|
||||
new file mode 100644
|
||||
index 0000000000..d93f8c52dc
|
||||
--- /dev/null
|
||||
+++ b/components/s-nail.yml
|
||||
@@ -0,0 +1,5 @@
|
||||
+name: s-nail
|
||||
+packages:
|
||||
+- s-nail
|
||||
+rules:
|
||||
+- package_s-nail_installed
|
||||
diff --git a/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml b/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
|
||||
index 3ffba82f03..05a10a2304 100644
|
||||
--- a/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
|
||||
+++ b/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
|
||||
@@ -7,4 +7,5 @@ controls:
|
||||
rules:
|
||||
- aide_periodic_cron_checking
|
||||
- package_aide_installed
|
||||
+ - package_s-nail_installed
|
||||
status: automated
|
||||
diff --git a/linux_os/guide/services/mail/package_s-nail_installed/rule.yml b/linux_os/guide/services/mail/package_s-nail_installed/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..e14fbc9f35
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/mail/package_s-nail_installed/rule.yml
|
||||
@@ -0,0 +1,33 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel9
|
||||
+
|
||||
+title: 'The s-nail Package Is Installed'
|
||||
+
|
||||
+description: |-
|
||||
+ A mail server is required for sending emails.
|
||||
+ {{{ describe_package_install(package="s-nail") }}}
|
||||
+
|
||||
+rationale: |-
|
||||
+ Emails can be used to notify designated personnel about important
|
||||
+ system events such as failures or warnings.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel9: CCE-86608-7
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001744
|
||||
+ nist: CM-3(5)
|
||||
+ srg: SRG-OS-000363-GPOS-00150
|
||||
+
|
||||
+ocil_clause: 'the package is not installed'
|
||||
+
|
||||
+ocil: '{{{ ocil_package(package="s-nail") }}}'
|
||||
+
|
||||
+template:
|
||||
+ name: package_installed
|
||||
+ vars:
|
||||
+ pkgname: s-nail
|
||||
+
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index ef6afd3fbe..538d9d488d 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -315,7 +315,6 @@ CCE-86604-6
|
||||
CCE-86605-3
|
||||
CCE-86606-1
|
||||
CCE-86607-9
|
||||
-CCE-86608-7
|
||||
CCE-86609-5
|
||||
CCE-86610-3
|
||||
CCE-86612-9
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,52 +0,0 @@
|
||||
From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 8 Aug 2023 15:15:21 +0200
|
||||
Subject: [PATCH] Remove kernel cmdline check
|
||||
|
||||
The OVAL in rule enable_fips_mode contains multiple checks. One
|
||||
of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
|
||||
Although this is useful for latest RHEL versions, this file doesn't
|
||||
exist on RHEL 8.6 and 9.0. This causes that the rule fails after
|
||||
remediation on these RHEL versions.
|
||||
|
||||
We want the same OVAL behavior on all minor RHEL releases, therefore
|
||||
we will remove this test from the OVAL completely.
|
||||
|
||||
Related to: https://github.com/ComplianceAsCode/content/pull/10897
|
||||
---
|
||||
.../fips/enable_fips_mode/oval/shared.xml | 15 ---------------
|
||||
1 file changed, 15 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index 88aae7aaab9..3b50e07060e 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -12,8 +12,6 @@
|
||||
comment="system cryptography policy is configured"/>
|
||||
<criterion test_ref="test_system_crypto_policy_value"
|
||||
comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
|
||||
- <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
|
||||
{{% if "ol" in product or "rhel" in product %}}
|
||||
<criteria operator="OR">
|
||||
<criteria operator="AND">
|
||||
@@ -57,19 +55,6 @@
|
||||
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
|
||||
</ind:textfilecontent54_state>
|
||||
|
||||
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||
- check="all" check_existence="all_exist"
|
||||
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
|
||||
- <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
- <ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
- </ind:textfilecontent54_test>
|
||||
-
|
||||
- <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
|
||||
- <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
||||
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
- </ind:textfilecontent54_object>
|
||||
-
|
||||
<ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||
check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
|
||||
<ind:object object_ref="obj_system_crypto_policy_value" />
|
@ -1,272 +0,0 @@
|
||||
From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Thu, 27 Jul 2023 10:02:08 +0200
|
||||
Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects
|
||||
|
||||
This commit only improves readability without any technical impact in
|
||||
the OVAL logic.
|
||||
---
|
||||
.../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++-------
|
||||
1 file changed, 50 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index fe3f96f52a5..0ec076a5fb7 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -1,32 +1,38 @@
|
||||
<def-group>
|
||||
- <definition class="compliance" id="enable_fips_mode" version="1">
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
|
||||
<criteria operator="AND">
|
||||
- <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
|
||||
- <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
|
||||
- <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
|
||||
- <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
|
||||
- <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
|
||||
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
+ <extend_definition definition_ref="etc_system_fips_exists"
|
||||
+ comment="check /etc/system-fips exists"/>
|
||||
+ <extend_definition definition_ref="sysctl_crypto_fips_enabled"
|
||||
+ comment="check sysctl crypto.fips_enabled = 1"/>
|
||||
+ <extend_definition definition_ref="enable_dracut_fips_module"
|
||||
+ comment="Dracut FIPS module is enabled"/>
|
||||
+ <extend_definition definition_ref="configure_crypto_policy"
|
||||
+ comment="system cryptography policy is configured"/>
|
||||
+ <criterion test_ref="test_system_crypto_policy_value"
|
||||
+ comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
|
||||
+ <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
+ comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
|
||||
{{% if "ol" in product or "rhel" in product %}}
|
||||
<criteria operator="OR">
|
||||
<criteria operator="AND">
|
||||
- <extend_definition comment="Generic test for s390x architecture"
|
||||
- definition_ref="system_info_architecture_s390_64" />
|
||||
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
|
||||
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
+ <extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
+ comment="Generic test for s390x architecture"/>
|
||||
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
</criteria>
|
||||
<criteria operator="AND">
|
||||
<criteria negate="true">
|
||||
- <extend_definition comment="Generic test for NOT s390x architecture"
|
||||
- definition_ref="system_info_architecture_s390_64" />
|
||||
+ <extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
+ comment="Generic test for NOT s390x architecture"/>
|
||||
</criteria>
|
||||
{{% if product in ["ol8", "rhel8"] %}}
|
||||
- <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
|
||||
- test_ref="test_grubenv_fips_mode" />
|
||||
+ <criterion test_ref="test_grubenv_fips_mode"
|
||||
+ comment="check if the kernel boot parameter is configured for FIPS mode"/>
|
||||
{{% else %}}
|
||||
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
|
||||
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
{{% endif %}}
|
||||
</criteria>
|
||||
</criteria>
|
||||
@@ -34,58 +40,71 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
|
||||
- check="all" check_existence="all_exist" version="1">
|
||||
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
|
||||
+ check="all" check_existence="all_exist"
|
||||
+ comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
|
||||
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
+
|
||||
<ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
|
||||
<ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
+
|
||||
<ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
|
||||
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
|
||||
</ind:textfilecontent54_state>
|
||||
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
|
||||
- check="all" check_existence="all_exist" version="1">
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||
+ check="all" check_existence="all_exist"
|
||||
+ comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
|
||||
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
+
|
||||
<ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
- <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
|
||||
+ <ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||
+ check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
|
||||
<ind:object object_ref="obj_system_crypto_policy_value" />
|
||||
<ind:state state_ref="ste_system_crypto_policy_value" />
|
||||
</ind:variable_test>
|
||||
+
|
||||
<ind:variable_object id="obj_system_crypto_policy_value" version="1">
|
||||
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
|
||||
</ind:variable_object>
|
||||
- <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
|
||||
+
|
||||
+ <ind:variable_state id="ste_system_crypto_policy_value" version="2"
|
||||
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
|
||||
{{% if product in ["ol9","rhel9"] -%}}
|
||||
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
|
||||
{{%- else %}}
|
||||
- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
|
||||
+ {{# Legacy and more relaxed list of crypto policies that were historically considered
|
||||
+ FIPS-compatible. More recent products should use the more restricted list of options #}}
|
||||
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
|
||||
{{%- endif %}}
|
||||
</ind:variable_state>
|
||||
+
|
||||
{{% if product in ["ol8","rhel8"] %}}
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" id="test_grubenv_fips_mode"
|
||||
- comment="Fips mode selected in running kernel opts" version="1">
|
||||
+ <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
|
||||
+ check="all" check_existence="all_exist"
|
||||
+ comment="Fips mode selected in running kernel opts">
|
||||
<ind:object object_ref="obj_grubenv_fips_mode" />
|
||||
</ind:textfilecontent54_test>
|
||||
- <ind:textfilecontent54_object id="obj_grubenv_fips_mode"
|
||||
- version="1">
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_grubenv_fips_mode" version="1">
|
||||
<ind:filepath>/boot/grub2/grubenv</ind:filepath>
|
||||
<ind:pattern operation="pattern match">fips=1</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
{{% endif %}}
|
||||
- <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
|
||||
+
|
||||
+ <external_variable id="var_system_crypto_policy" version="1"
|
||||
+ datatype="string" comment="defined crypto policy"/>
|
||||
</def-group>
|
||||
|
||||
From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Thu, 27 Jul 2023 10:20:33 +0200
|
||||
Subject: [PATCH 2/2] Improve OVAL comments for better readability
|
||||
|
||||
Simplified the comments and aligned the respective lines to the
|
||||
project Style Guides.
|
||||
---
|
||||
.../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++---------
|
||||
1 file changed, 16 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index 0ec076a5fb7..88aae7aaab9 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -3,36 +3,36 @@
|
||||
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
|
||||
<criteria operator="AND">
|
||||
<extend_definition definition_ref="etc_system_fips_exists"
|
||||
- comment="check /etc/system-fips exists"/>
|
||||
+ comment="check /etc/system-fips file existence"/>
|
||||
<extend_definition definition_ref="sysctl_crypto_fips_enabled"
|
||||
- comment="check sysctl crypto.fips_enabled = 1"/>
|
||||
+ comment="check option crypto.fips_enabled = 1 in sysctl"/>
|
||||
<extend_definition definition_ref="enable_dracut_fips_module"
|
||||
- comment="Dracut FIPS module is enabled"/>
|
||||
+ comment="dracut FIPS module is enabled"/>
|
||||
<extend_definition definition_ref="configure_crypto_policy"
|
||||
comment="system cryptography policy is configured"/>
|
||||
<criterion test_ref="test_system_crypto_policy_value"
|
||||
- comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
|
||||
+ comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
|
||||
<criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
- comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
|
||||
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
|
||||
{{% if "ol" in product or "rhel" in product %}}
|
||||
<criteria operator="OR">
|
||||
<criteria operator="AND">
|
||||
<extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
- comment="Generic test for s390x architecture"/>
|
||||
+ comment="generic test for s390x architecture"/>
|
||||
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
|
||||
</criteria>
|
||||
<criteria operator="AND">
|
||||
<criteria negate="true">
|
||||
<extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
- comment="Generic test for NOT s390x architecture"/>
|
||||
+ comment="generic test for non-s390x architecture"/>
|
||||
</criteria>
|
||||
{{% if product in ["ol8", "rhel8"] %}}
|
||||
<criterion test_ref="test_grubenv_fips_mode"
|
||||
comment="check if the kernel boot parameter is configured for FIPS mode"/>
|
||||
{{% else %}}
|
||||
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
|
||||
{{% endif %}}
|
||||
</criteria>
|
||||
</criteria>
|
||||
@@ -42,7 +42,7 @@
|
||||
|
||||
<ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
|
||||
check="all" check_existence="all_exist"
|
||||
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
|
||||
+ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf">
|
||||
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
@@ -59,7 +59,7 @@
|
||||
|
||||
<ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||
check="all" check_existence="all_exist"
|
||||
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
|
||||
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
|
||||
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
@@ -71,7 +71,7 @@
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
<ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||
- check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
|
||||
+ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
|
||||
<ind:object object_ref="obj_system_crypto_policy_value" />
|
||||
<ind:state state_ref="ste_system_crypto_policy_value" />
|
||||
</ind:variable_test>
|
||||
@@ -81,7 +81,8 @@
|
||||
</ind:variable_object>
|
||||
|
||||
<ind:variable_state id="ste_system_crypto_policy_value" version="2"
|
||||
- comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
|
||||
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds
|
||||
+to a crypto policy module that further restricts the modified crypto policy.">
|
||||
{{% if product in ["ol9","rhel9"] -%}}
|
||||
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
|
||||
{{%- else %}}
|
||||
@@ -94,7 +95,7 @@
|
||||
{{% if product in ["ol8","rhel8"] %}}
|
||||
<ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
|
||||
check="all" check_existence="all_exist"
|
||||
- comment="Fips mode selected in running kernel opts">
|
||||
+ comment="FIPS mode is selected in running kernel options">
|
||||
<ind:object object_ref="obj_grubenv_fips_mode" />
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
@@ -106,5 +107,5 @@
|
||||
{{% endif %}}
|
||||
|
||||
<external_variable id="var_system_crypto_policy" version="1"
|
||||
- datatype="string" comment="defined crypto policy"/>
|
||||
+ datatype="string" comment="variable which selects the crypto policy"/>
|
||||
</def-group>
|
@ -1,263 +0,0 @@
|
||||
From 09b4ceaba513e23ee933349f8a89b9c9b7dc1c26 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Wed, 6 Dec 2023 10:02:00 +0100
|
||||
Subject: [PATCH 14/14] Add variable support to `auditd_name_format` rule
|
||||
|
||||
Patch-name: scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
|
||||
Patch-status: Add variable support to `auditd_name_format` rule
|
||||
---
|
||||
controls/srg_gpos.yml | 1 +
|
||||
.../auditd_name_format/ansible/shared.yml | 7 +-
|
||||
.../auditd_name_format/bash/shared.sh | 7 +-
|
||||
.../auditd_name_format/oval/shared.xml | 49 ++++-
|
||||
.../auditd_name_format/rule.yml | 23 ++-
|
||||
.../var_auditd_flush.var | 2 +-
|
||||
.../var_auditd_name_format.var | 18 ++
|
||||
products/rhel7/profiles/stig.profile | 1 +
|
||||
products/rhel8/profiles/stig.profile | 1 +
|
||||
.../data/profile_stability/rhel8/stig.profile | 1 +
|
||||
.../profile_stability/rhel8/stig_gui.profile | 1 +
|
||||
15 files changed, 289 insertions(+), 24 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
|
||||
|
||||
diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
|
||||
index 1be70cf332..45fe8635c0 100644
|
||||
--- a/controls/srg_gpos.yml
|
||||
+++ b/controls/srg_gpos.yml
|
||||
@@ -29,3 +29,4 @@ controls:
|
||||
- var_auditd_space_left_action=email
|
||||
- login_banner_text=dod_banners
|
||||
- var_authselect_profile=sssd
|
||||
+ - var_auditd_name_format=stig
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
|
||||
index c933228357..015e9d6eff 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
|
||||
@@ -10,9 +10,14 @@
|
||||
{{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}}
|
||||
{{%- endif %}}
|
||||
|
||||
+{{{ ansible_instantiate_variables("var_auditd_name_format") }}}
|
||||
+
|
||||
+- name: "{{{ rule_title }}} - Define Value to Be Used in the Remediation"
|
||||
+ ansible.builtin.set_fact: auditd_name_format_split="{{ var_auditd_name_format.split('|')[0] }}"
|
||||
+
|
||||
{{{ ansible_set_config_file(file=auditd_conf_path,
|
||||
parameter="name_format",
|
||||
- value="hostname",
|
||||
+ value="{{ auditd_name_format_split }}",
|
||||
create=true,
|
||||
separator=" = ",
|
||||
separator_regex="\s*=\s*",
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
|
||||
index 67a1203dd5..a08fddc901 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
|
||||
@@ -10,9 +10,14 @@
|
||||
{{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}}
|
||||
{{%- endif %}}
|
||||
|
||||
+
|
||||
+{{{ bash_instantiate_variables("var_auditd_name_format") }}}
|
||||
+
|
||||
+var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)"
|
||||
+
|
||||
{{{set_config_file(path=auditd_conf_path,
|
||||
parameter="name_format",
|
||||
- value="hostname",
|
||||
+ value="$var_auditd_name_format",
|
||||
create=true,
|
||||
insensitive=true,
|
||||
separator=" = ",
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
|
||||
index 1bb86958fa..a98a46773b 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
|
||||
@@ -3,10 +3,47 @@
|
||||
{{% else %}}
|
||||
{{% set audisp_conf_file = "/auditd.conf" %}}
|
||||
{{% endif %}}
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="auditd_name_format" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Set type of computer node name logging in audit logs</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_all</platform>
|
||||
+ </affected>
|
||||
+ <description>Ensure 'name_format' is configured with value 'hostname|fdq|numeric' in {{{ audisp_conf_path + audisp_conf_file }}}</description>
|
||||
+ </metadata>
|
||||
+ <criteria comment="The respective application or service is configured correctly"
|
||||
+ operator="OR"><criterion comment="Check the name_format in {{{ audisp_conf_path + audisp_conf_file }}}"
|
||||
+ test_ref="test_auditd_name_format" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
|
||||
-{{{ oval_check_config_file(
|
||||
- path=audisp_conf_path + audisp_conf_file,
|
||||
- prefix_regex="^[ \\t]*(?i)",
|
||||
- parameter="name_format",
|
||||
- value="(?i)hostname(?-i)",
|
||||
- separator_regex="(?-i)[ \\t]*=[ \\t]*") }}}
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
+ comment="tests the value of name_format setting in the {{{ audisp_conf_path + audisp_conf_file }}} file"
|
||||
+ id="test_auditd_name_format" version="1">
|
||||
+ <ind:object object_ref="obj_auditd_name_format" />
|
||||
+ <ind:state state_ref="state_auditd_name_format" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_auditd_name_format" version="1">
|
||||
+ <ind:filepath>{{{ audisp_conf_path + audisp_conf_file }}}</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[ \t]*(?i)name_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_state id="state_auditd_name_format" version="1">
|
||||
+ <ind:subexpression operation="pattern match" var_ref="var_auditd_name_format_regex" />
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
+ <local_variable datatype="string" id="var_auditd_name_format_regex" version="1"
|
||||
+ comment="Build regex to be case insensitive">
|
||||
+ <concat>
|
||||
+ <literal_component>(?i)</literal_component>
|
||||
+ <variable_component var_ref="var_auditd_name_format"/>
|
||||
+ </concat>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <external_variable comment="audit name_format setting" datatype="string"
|
||||
+ id="var_auditd_name_format" version="1" />
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
||||
index 76a908f28f..4ee80e3d07 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
||||
@@ -1,11 +1,11 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'Set hostname as computer node name in audit logs'
|
||||
+title: 'Set type of computer node name logging in audit logs'
|
||||
|
||||
description: |-
|
||||
- To configure Audit daemon to use value returned by gethostname
|
||||
- syscall as computer node name in the audit events,
|
||||
- set <tt>name_format</tt> to <tt>hostname</tt>
|
||||
+ To configure Audit daemon to use a unique identifier
|
||||
+ as computer node name in the audit events,
|
||||
+ set <tt>name_format</tt> to <tt>{{{ xccdf_value("var_auditd_name_format") }}}</tt>
|
||||
in <tt>/etc/audit/auditd.conf</tt>.
|
||||
|
||||
rationale: |-
|
||||
@@ -32,17 +32,22 @@ references:
|
||||
stigid@rhel8: RHEL-08-030062
|
||||
stigid@rhel9: RHEL-09-653060
|
||||
|
||||
-ocil_clause: name_format isn't set to hostname
|
||||
+ocil_clause: name_format isn't set to {{{ xccdf_value("var_auditd_name_format") }}}
|
||||
|
||||
ocil: |-
|
||||
- To verify that Audit Daemon is configured to record the hostname
|
||||
- in audit events, run the following command:
|
||||
+ To verify that Audit Daemon is configured to record the computer node
|
||||
+ name in the audit events, run the following command:
|
||||
<pre>$ sudo grep name_format /etc/audit/auditd.conf</pre>
|
||||
The output should return the following:
|
||||
- <pre>name_format = hostname</pre>
|
||||
+ <pre>name_format = {{{ xccdf_value("var_auditd_name_format") }}}</pre>
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ Whenever the variable <pre>var_auditd_name_format</pre> uses a multiple value option, for example
|
||||
+ <pre>A|B|C</pre>, the first value will be used when remediating this rule.
|
||||
|
||||
fixtext: |-
|
||||
- {{{ fixtext_audit_configuration(param="name_format", value="hostname") | indent(4) }}}
|
||||
+ {{{ fixtext_audit_configuration(param="name_format", value=xccdf_value("var_auditd_name_format")) | indent(4) }}}
|
||||
|
||||
srg_requirement: |-
|
||||
{{{ full_name }}} must label all off-loaded audit logs before sending them to the central log server.
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
|
||||
index 3ae67d484a..f7b0bc5b8f 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
|
||||
@@ -13,5 +13,5 @@ options:
|
||||
default: data
|
||||
incremental: incremental
|
||||
incremental_async: incremental_async
|
||||
- none: none
|
||||
+ none: "none"
|
||||
sync: sync
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
|
||||
new file mode 100644
|
||||
index 0000000000..75cc597038
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
|
||||
@@ -0,0 +1,18 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Type of hostname to record the audit event'
|
||||
+
|
||||
+description: 'Type of hostname to record the audit event'
|
||||
+
|
||||
+type: string
|
||||
+
|
||||
+interactive: false
|
||||
+
|
||||
+options:
|
||||
+ default: hostname
|
||||
+ hostname: hostname
|
||||
+ fqd: fqd
|
||||
+ numeric: numeric
|
||||
+ user: user
|
||||
+ none: "none"
|
||||
+ stig: hostname|fqd|numeric
|
||||
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
|
||||
index 6483dfe3da..1e1e50765a 100644
|
||||
--- a/products/rhel7/profiles/stig.profile
|
||||
+++ b/products/rhel7/profiles/stig.profile
|
||||
@@ -335,6 +335,7 @@ selections:
|
||||
- accounts_authorized_local_users
|
||||
- auditd_overflow_action
|
||||
- auditd_name_format
|
||||
+ - var_auditd_name_format=stig
|
||||
- sebool_ssh_sysadm_login
|
||||
- sudoers_default_includedir
|
||||
- package_aide_installed
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 0e136784a1..3914fae78f 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -707,6 +707,7 @@ selections:
|
||||
|
||||
# RHEL-08-030062
|
||||
- auditd_name_format
|
||||
+ - var_auditd_name_format=stig
|
||||
|
||||
# RHEL-08-030063
|
||||
- auditd_log_format
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 7aabec8694..60dc9d3a50 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -473,6 +473,7 @@ selections:
|
||||
- var_auditd_disk_error_action=rhel8
|
||||
- var_auditd_max_log_file_action=syslog
|
||||
- var_auditd_disk_full_action=rhel8
|
||||
+- var_auditd_name_format=stig
|
||||
- var_sssd_certificate_verification_digest_function=sha1
|
||||
- login_banner_text=dod_banners
|
||||
- var_authselect_profile=sssd
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index bef1437536..b77c8eab2f 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -481,6 +481,7 @@ selections:
|
||||
- var_auditd_disk_error_action=rhel8
|
||||
- var_auditd_max_log_file_action=syslog
|
||||
- var_auditd_disk_full_action=rhel8
|
||||
+- var_auditd_name_format=stig
|
||||
- var_sssd_certificate_verification_digest_function=sha1
|
||||
- login_banner_text=dod_banners
|
||||
- var_authselect_profile=sssd
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,21 +0,0 @@
|
||||
From 509c117acea0cc7a8457752cbdb4b8e7a6ca27d7 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 15 Aug 2023 15:17:16 +0200
|
||||
Subject: [PATCH] remove rules not relevant to RHEL 9 from STIG profile
|
||||
|
||||
rules have no remediation for RHEL 9, syntax for RHEL 9 is also different than RHEL 8
|
||||
---
|
||||
controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
|
||||
index d5fe6e1327b..9d9dc579fc4 100644
|
||||
--- a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
|
||||
+++ b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
|
||||
@@ -7,6 +7,4 @@ controls:
|
||||
rules:
|
||||
- sshd_enable_pam
|
||||
- sysctl_crypto_fips_enabled
|
||||
- - harden_sshd_ciphers_openssh_conf_crypto_policy
|
||||
- - harden_sshd_macs_openssh_conf_crypto_policy
|
||||
status: automated
|
@ -1,30 +0,0 @@
|
||||
From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 17 Aug 2023 10:50:09 +0200
|
||||
Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
|
||||
|
||||
---
|
||||
products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
|
||||
products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
|
||||
index e2eeabbb78d..204e141b1f5 100644
|
||||
--- a/products/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/products/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -17,3 +17,5 @@ description: |-
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
+ # the following rule renders UEFI systems unbootable
|
||||
+ - '!sebool_secure_mode_insmod'
|
||||
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
|
||||
index e2eeabbb78d..204e141b1f5 100644
|
||||
--- a/products/rhel9/profiles/anssi_bp28_high.profile
|
||||
+++ b/products/rhel9/profiles/anssi_bp28_high.profile
|
||||
@@ -17,3 +17,5 @@ description: |-
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
+ # the following rule renders UEFI systems unbootable
|
||||
+ - '!sebool_secure_mode_insmod'
|
@ -1,104 +0,0 @@
|
||||
From cfbc85e51f15d106dd3cf03ef2fc7cd4f3c5d251 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 5 Dec 2023 16:05:37 +0100
|
||||
Subject: [PATCH 06/14] Update sshd_approved_ciphers value for RHEL in STIG
|
||||
profile
|
||||
|
||||
Patch-name: scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
|
||||
Patch-status: Update sshd_approved_ciphers value for RHEL in STIG profile
|
||||
---
|
||||
controls/srg_gpos.yml | 2 +-
|
||||
products/rhel8/profiles/stig.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/stig.profile | 6 +++---
|
||||
tests/data/profile_stability/rhel8/stig_gui.profile | 6 +++---
|
||||
4 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
|
||||
index 65d58d5291..1be70cf332 100644
|
||||
--- a/controls/srg_gpos.yml
|
||||
+++ b/controls/srg_gpos.yml
|
||||
@@ -20,7 +20,7 @@ controls:
|
||||
- var_password_hashing_algorithm=SHA512
|
||||
- var_password_pam_dictcheck=1
|
||||
- sshd_approved_macs=stig_extended
|
||||
- - sshd_approved_ciphers=stig
|
||||
+ - sshd_approved_ciphers=stig_extended
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
- var_accounts_authorized_local_users_regex=rhel8
|
||||
- var_account_disable_post_pw_expiration=35
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 5be8fb8127..0e136784a1 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -51,7 +51,7 @@ selections:
|
||||
- var_password_pam_minlen=15
|
||||
- var_sshd_set_keepalive=1
|
||||
- sshd_approved_macs=stig_extended
|
||||
- - sshd_approved_ciphers=stig
|
||||
+ - sshd_approved_ciphers=stig_extended
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
- var_accounts_authorized_local_users_regex=rhel8
|
||||
- var_accounts_passwords_pam_faillock_deny=3
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 3fe7cdf4ea..7aabec8694 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -1,6 +1,6 @@
|
||||
description: 'This profile contains configuration checks that align to the
|
||||
|
||||
- DISA STIG for Red Hat Enterprise Linux 8 V1R9.
|
||||
+ DISA STIG for Red Hat Enterprise Linux 8 V1R11.
|
||||
|
||||
|
||||
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|
||||
@@ -22,7 +22,7 @@ description: 'This profile contains configuration checks that align to the
|
||||
- Red Hat Containers with a Red Hat Enterprise Linux 8 image'
|
||||
extends: null
|
||||
metadata:
|
||||
- version: V1R10
|
||||
+ version: V1R11
|
||||
SMEs:
|
||||
- mab879
|
||||
- ggbecker
|
||||
@@ -455,7 +455,7 @@ selections:
|
||||
- var_password_pam_retry=3
|
||||
- var_sshd_set_keepalive=1
|
||||
- sshd_approved_macs=stig_extended
|
||||
-- sshd_approved_ciphers=stig
|
||||
+- sshd_approved_ciphers=stig_extended
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
- var_accounts_authorized_local_users_regex=rhel8
|
||||
- var_accounts_passwords_pam_faillock_deny=3
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 66ada8588f..bef1437536 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -1,6 +1,6 @@
|
||||
description: 'This profile contains configuration checks that align to the
|
||||
|
||||
- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R9.
|
||||
+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R11.
|
||||
|
||||
|
||||
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|
||||
@@ -33,7 +33,7 @@ description: 'This profile contains configuration checks that align to the
|
||||
standard DISA STIG for Red Hat Enterprise Linux 8 profile.'
|
||||
extends: null
|
||||
metadata:
|
||||
- version: V1R10
|
||||
+ version: V1R11
|
||||
SMEs:
|
||||
- mab879
|
||||
- ggbecker
|
||||
@@ -463,7 +463,7 @@ selections:
|
||||
- var_password_pam_retry=3
|
||||
- var_sshd_set_keepalive=1
|
||||
- sshd_approved_macs=stig_extended
|
||||
-- sshd_approved_ciphers=stig
|
||||
+- sshd_approved_ciphers=stig_extended
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
- var_accounts_authorized_local_users_regex=rhel8
|
||||
- var_accounts_passwords_pam_faillock_deny=3
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,212 +0,0 @@
|
||||
From f0998f93828e756111294eb4c733fad77febd493 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Wed, 6 Dec 2023 10:31:53 +0100
|
||||
Subject: [PATCH 15/15] Update ssh stig HMACS and Ciphers allowed in OL8 STIG
|
||||
|
||||
Patch-name: scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
|
||||
Patch-status: Update ssh stig HMACS and Ciphers allowed in OL8 STIG
|
||||
---
|
||||
linux_os/guide/services/ssh/sshd_approved_ciphers.var | 1 +
|
||||
.../tests/rhel8_stig_correct.pass.sh | 5 +++--
|
||||
.../tests/rhel8_stig_empty_policy.fail.sh | 2 +-
|
||||
.../tests/rhel8_stig_incorrect_policy.fail.sh | 2 +-
|
||||
.../tests/rhel8_stig_missing_file.fail.sh | 2 +-
|
||||
.../harden_sshd_macs_openssh_conf_crypto_policy/rule.yml | 4 ++--
|
||||
.../tests/stig_correct.pass.sh | 5 +++--
|
||||
.../tests/stig_correct_commented.fail.sh | 5 +++--
|
||||
.../stig_correct_followed_by_incorrect_commented.pass.sh | 5 +++--
|
||||
.../stig_incorrect_followed_by_correct_commented.fail.sh | 5 +++--
|
||||
.../rule.yml | 4 ++--
|
||||
products/ol8/profiles/stig.profile | 4 ++--
|
||||
12 files changed, 25 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
||||
index 65c3fde987..4ab4d36cef 100644
|
||||
--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
||||
+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
||||
@@ -12,6 +12,7 @@ interactive: false
|
||||
|
||||
options:
|
||||
stig: aes256-ctr,aes192-ctr,aes128-ctr
|
||||
+ stig_extended: aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
||||
default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
|
||||
cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
|
||||
cis_sle12: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
|
||||
index c84e0c1576..34b69406a3 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
|
||||
@@ -1,8 +1,9 @@
|
||||
#!/bin/bash
|
||||
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
||||
+
|
||||
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
||||
|
||||
-sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
|
||||
configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
||||
correct_value="-oCiphers=${sshd_approved_ciphers}"
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
|
||||
index 66483e898a..60b4616ce5 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
||||
|
||||
configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
|
||||
index e350ce5f0a..3eca150b3f 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
||||
|
||||
configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
|
||||
index 11b194db03..f8659efcf0 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
||||
|
||||
configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
|
||||
index 8736e39afc..547c31545e 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
|
||||
@@ -12,7 +12,7 @@ description: |-
|
||||
To check that Crypto Policies settings are configured correctly, ensure that
|
||||
<tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
|
||||
line and is not commented out:
|
||||
- <tt>MACs hmac-sha2-512,hmac-sha2-256</tt>
|
||||
+ <tt>MACs {{{ xccdf_value("sshd_approved_macs") }}}</tt>
|
||||
|
||||
rationale: |-
|
||||
Overriding the system crypto policy makes the behavior of the OpenSSH
|
||||
@@ -38,7 +38,7 @@ ocil: |-
|
||||
To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
|
||||
<pre>$ grep -i macs /etc/crypto-policies/back-ends/openssh.config</pre>
|
||||
and verify that the line matches:
|
||||
- <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
|
||||
+ <pre>MACs {{{ xccdf_value("sshd_approved_macs") }}}</pre>
|
||||
|
||||
warnings:
|
||||
- general: |-
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
|
||||
index 6edae50924..49d18486f3 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
|
||||
@@ -1,8 +1,9 @@
|
||||
#!/bin/bash
|
||||
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
+
|
||||
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
|
||||
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
|
||||
configfile=/etc/crypto-policies/back-ends/openssh.config
|
||||
|
||||
# Ensure directory + file is there
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
|
||||
index 0fec46a5c3..b068e2ea4d 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
|
||||
@@ -1,8 +1,9 @@
|
||||
#!/bin/bash
|
||||
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
+
|
||||
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
|
||||
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
|
||||
configfile=/etc/crypto-policies/back-ends/openssh.config
|
||||
|
||||
# Ensure directory + file is there
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
|
||||
index 95bf94331c..f57f422701 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
|
||||
@@ -1,8 +1,9 @@
|
||||
#!/bin/bash
|
||||
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
+
|
||||
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
|
||||
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
|
||||
configfile=/etc/crypto-policies/back-ends/openssh.config
|
||||
|
||||
# Ensure directory + file is there
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
||||
index 4af43d60e7..999463e1c2 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
||||
@@ -1,8 +1,9 @@
|
||||
#!/bin/bash
|
||||
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
+
|
||||
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
|
||||
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
|
||||
incorrect_sshd_approved_macs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
|
||||
configfile=/etc/crypto-policies/back-ends/openssh.config
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
|
||||
index f08f120f9a..a76cee71d8 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
|
||||
@@ -12,7 +12,7 @@ description: |-
|
||||
To check that Crypto Policies settings are configured correctly, ensure that
|
||||
<tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
|
||||
text and is not commented out:
|
||||
- <tt>-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</tt>
|
||||
+ <tt>-oMACS={{{ xccdf_value("sshd_approved_macs") }}}</tt>
|
||||
|
||||
rationale: |-
|
||||
Overriding the system crypto policy makes the behavior of the OpenSSH
|
||||
@@ -38,7 +38,7 @@ ocil: |-
|
||||
To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
|
||||
<pre>$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
|
||||
and verify that the line matches:
|
||||
- <pre>-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</pre>
|
||||
+ <pre>-oMACS={{{ xccdf_value("sshd_approved_macs") }}}</pre>
|
||||
|
||||
warnings:
|
||||
- general: |-
|
||||
diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
|
||||
index ae2795c4fb..2be62c59ca 100644
|
||||
--- a/products/ol8/profiles/stig.profile
|
||||
+++ b/products/ol8/profiles/stig.profile
|
||||
@@ -38,8 +38,8 @@ selections:
|
||||
- var_password_pam_retry=3
|
||||
- var_password_pam_minlen=15
|
||||
- var_sshd_set_keepalive=0
|
||||
- - sshd_approved_macs=stig
|
||||
- - sshd_approved_ciphers=stig
|
||||
+ - sshd_approved_macs=stig_extended
|
||||
+ - sshd_approved_ciphers=stig_extended
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
- var_accounts_authorized_local_users_regex=ol8
|
||||
- var_accounts_passwords_pam_faillock_deny=3
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,158 +0,0 @@
|
||||
From 1927922065ba7cab8e389d6b2e4ec014be491bed Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 5 Dec 2023 16:05:37 +0100
|
||||
Subject: [PATCH 09/14] Add cron.deny Owership Rules
|
||||
|
||||
Patch-name: scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
|
||||
Patch-status: Add cron.deny Owership Rules
|
||||
---
|
||||
components/cronie.yml | 2 +
|
||||
.../srg_gpos/SRG-OS-000480-GPOS-00227.yml | 2 +
|
||||
.../file_groupowner_cron_deny/rule.yml | 39 ++++++++++++++++++
|
||||
.../cron_and_at/file_owner_cron_deny/rule.yml | 41 +++++++++++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 2 -
|
||||
5 files changed, 84 insertions(+), 2 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
|
||||
create mode 100644 linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
|
||||
|
||||
diff --git a/components/cronie.yml b/components/cronie.yml
|
||||
index c11edb518e..b8bf7f264a 100644
|
||||
--- a/components/cronie.yml
|
||||
+++ b/components/cronie.yml
|
||||
@@ -8,6 +8,8 @@ rules:
|
||||
- disable_anacron
|
||||
- file_at_deny_not_exist
|
||||
- file_cron_deny_not_exist
|
||||
+- file_owner_cron_deny
|
||||
+- file_groupowner_cron_deny
|
||||
- file_groupowner_at_allow
|
||||
- file_groupowner_cron_allow
|
||||
- file_groupowner_cron_d
|
||||
diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
|
||||
index be60a154c1..d78256777c 100644
|
||||
--- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
|
||||
+++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
|
||||
@@ -64,6 +64,8 @@ controls:
|
||||
- file_permissions_ungroupowned
|
||||
- dir_perms_world_writable_root_owned
|
||||
- no_files_unowned_by_user
|
||||
+ - file_owner_cron_deny
|
||||
+ - file_groupowner_cron_deny
|
||||
|
||||
# service disabled
|
||||
# - service_rngd_enabled - this rule was removed because it does bring questionable value on modern systems
|
||||
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..7cacc3fc7b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
|
||||
@@ -0,0 +1,39 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel9
|
||||
+
|
||||
+title: 'Verify Group Who Owns cron.deny'
|
||||
+
|
||||
+description: |-
|
||||
+ {{{ describe_file_group_owner(file="/etc/cron.deny", group="root") }}}
|
||||
+
|
||||
+rationale: |-
|
||||
+ Service configuration files enable or disable features of their respective services that if configured incorrectly
|
||||
+ can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
|
||||
+ correct group to prevent unauthorized changes.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel9: CCE-86537-8
|
||||
+
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6 b
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+
|
||||
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.deny", group="root") }}}'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_file_group_owner(file="/etc/cron.deny", group="root") }}}
|
||||
+
|
||||
+fixtext: '{{{ fixtext_file_group_owner(file="/etc/cron.deny/", group="root") }}}'
|
||||
+
|
||||
+srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/cron.deny", group="root") }}}'
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath: /etc/cron.deny
|
||||
+ gid_or_name: '0'
|
||||
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..4297313a74
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
|
||||
@@ -0,0 +1,41 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel9
|
||||
+
|
||||
+title: 'Verify Owner on cron.deny'
|
||||
+
|
||||
+description: |-
|
||||
+ {{{ describe_file_owner(file="/etc/cron.deny", owner="root") }}}
|
||||
+
|
||||
+rationale: |-
|
||||
+ Service configuration files enable or disable features of their respective services that if configured incorrectly
|
||||
+ can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
|
||||
+ correct user to prevent unauthorized changes.
|
||||
+
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel9: CCE-86887-7
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6 b
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+
|
||||
+
|
||||
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.deny", owner="root") }}}'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_file_owner(file="/etc/cron.deny", owner="root") }}}
|
||||
+
|
||||
+fixtext: '{{{ fixtext_file_owner(file="/etc/cron.deny/", owner="root") }}}'
|
||||
+
|
||||
+srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/cron.deny", owner="root") }}}'
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath: /etc/cron.deny
|
||||
+ fileuid: '0'
|
||||
+
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 60663b117a..8ae1e4186f 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -259,7 +259,6 @@ CCE-86528-7
|
||||
CCE-86530-3
|
||||
CCE-86535-2
|
||||
CCE-86536-0
|
||||
-CCE-86537-8
|
||||
CCE-86538-6
|
||||
CCE-86539-4
|
||||
CCE-86540-2
|
||||
@@ -516,7 +515,6 @@ CCE-86880-2
|
||||
CCE-86881-0
|
||||
CCE-86882-8
|
||||
CCE-86886-9
|
||||
-CCE-86887-7
|
||||
CCE-86888-5
|
||||
CCE-86889-3
|
||||
CCE-86890-1
|
||||
--
|
||||
2.43.0
|
||||
|
File diff suppressed because one or more lines are too long
@ -1,26 +0,0 @@
|
||||
From eb4cedf1097bb556134a03648a99c60b16fa4726 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 5 Dec 2023 16:22:29 +0100
|
||||
Subject: [PATCH 12/14] Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
|
||||
|
||||
Patch-name: scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
|
||||
Patch-status: Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
|
||||
---
|
||||
.../bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
|
||||
index fef91a47df..3df07a5689 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
|
||||
@@ -45,6 +45,7 @@ references:
|
||||
nist-csf: PR.AC-4,PR.DS-5
|
||||
pcidss: Req-7.1
|
||||
pcidss4: "2.2.6"
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel9: RHEL-09-212030
|
||||
|
||||
ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/grub.cfg", owner="root") }}}'
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 89c7d9f8e9837383047b036c9a42a9986590f307 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 5 Dec 2023 16:22:29 +0100
|
||||
Subject: [PATCH 11/14] Add var_networkmanager_dns_mode to RHEL 9 STIG
|
||||
|
||||
Patch-name: scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
|
||||
Patch-status: Add var_networkmanager_dns_mode to RHEL 9 STIG
|
||||
---
|
||||
controls/stig_rhel9.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
|
||||
index 0966ebb6fc..b576ba08c3 100644
|
||||
--- a/controls/stig_rhel9.yml
|
||||
+++ b/controls/stig_rhel9.yml
|
||||
@@ -1516,6 +1516,7 @@ controls:
|
||||
title: RHEL 9 must configure a DNS processing mode set be Network Manager.
|
||||
rules:
|
||||
- networkmanager_dns_mode
|
||||
+ - var_networkmanager_dns_mode=none
|
||||
status: automated
|
||||
|
||||
- id: RHEL-09-252045
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,294 +0,0 @@
|
||||
From 6f11431ae6ff21170b11e6777141cbe33a8ffe42 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 5 Dec 2023 16:05:37 +0100
|
||||
Subject: [PATCH 08/14] New Rule networkmanager_dns_mode
|
||||
|
||||
Patch-name: scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
|
||||
Patch-status: New Rule networkmanager_dns_mode
|
||||
---
|
||||
components/networkmanager.yml | 5 +++
|
||||
.../srg_gpos/SRG-OS-000480-GPOS-00227.yml | 4 +++
|
||||
.../system/network/networkmanager/group.yml | 7 ++++
|
||||
.../ansible/shared.yml | 14 ++++++++
|
||||
.../networkmanager_dns_mode/bash/shared.sh | 11 ++++++
|
||||
.../networkmanager_dns_mode/oval/shared.xml | 12 +++++++
|
||||
.../policy/stig/shared.yml | 15 ++++++++
|
||||
.../networkmanager_dns_mode/rule.yml | 34 +++++++++++++++++++
|
||||
.../tests/correct.pass.sh | 8 +++++
|
||||
.../tests/correct_default.pass.sh | 8 +++++
|
||||
.../tests/missing.fail.sh | 4 +++
|
||||
.../tests/wrong_value.fail.sh | 8 +++++
|
||||
.../var_networkmanager_dns_mode.var | 19 +++++++++++
|
||||
shared/applicability/package.yml | 2 ++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
15 files changed, 151 insertions(+), 1 deletion(-)
|
||||
create mode 100644 components/networkmanager.yml
|
||||
create mode 100644 linux_os/guide/system/network/networkmanager/group.yml
|
||||
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
|
||||
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
|
||||
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
|
||||
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
|
||||
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
|
||||
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
|
||||
create mode 100644 linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
|
||||
|
||||
diff --git a/components/networkmanager.yml b/components/networkmanager.yml
|
||||
new file mode 100644
|
||||
index 0000000000..75d54b9490
|
||||
--- /dev/null
|
||||
+++ b/components/networkmanager.yml
|
||||
@@ -0,0 +1,5 @@
|
||||
+name: NetworkManager
|
||||
+packages:
|
||||
+- NetworkManager
|
||||
+rules:
|
||||
+- networkmanager_dns_mode
|
||||
diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
|
||||
index 1aceb0b187..be60a154c1 100644
|
||||
--- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
|
||||
+++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
|
||||
@@ -225,6 +225,10 @@ controls:
|
||||
- set_firewalld_default_zone
|
||||
- firewalld_sshd_port_enabled
|
||||
|
||||
+ # NetworkManger
|
||||
+ - networkmanager_dns_mode
|
||||
+ - var_networkmanager_dns_mode=none
|
||||
+
|
||||
# misc
|
||||
- enable_authselect
|
||||
- no_host_based_files
|
||||
diff --git a/linux_os/guide/system/network/networkmanager/group.yml b/linux_os/guide/system/network/networkmanager/group.yml
|
||||
new file mode 100644
|
||||
index 0000000000..4abf48ed96
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/networkmanager/group.yml
|
||||
@@ -0,0 +1,7 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Network Manager'
|
||||
+
|
||||
+description: |-
|
||||
+ The NetworkManager daemon configures a variety of network connections.
|
||||
+ This section discusses how to configure NetworkManager.
|
||||
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..b416038bd9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
|
||||
@@ -0,0 +1,14 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+{{{ ansible_instantiate_variables("var_networkmanager_dns_mode") }}}
|
||||
+
|
||||
+{{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ var_networkmanager_dns_mode }}") }}}
|
||||
+
|
||||
+- name: "{{{ rule_title }}} - Ensure Network Manager"
|
||||
+ ansible.builtin.systemd:
|
||||
+ name: NetworkManager
|
||||
+ state: reloaded
|
||||
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..88491d288d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = medium
|
||||
+
|
||||
+{{{ bash_instantiate_variables("var_networkmanager_dns_mode") }}}
|
||||
+
|
||||
+{{{ bash_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "$var_networkmanager_dns_mode") }}}
|
||||
+
|
||||
+systemctl reload NetworkManager
|
||||
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..cb07c9a9ed
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
|
||||
@@ -0,0 +1,12 @@
|
||||
+{{{
|
||||
+oval_check_ini_file(
|
||||
+ path="/etc/NetworkManager/NetworkManager.conf",
|
||||
+ section="main",
|
||||
+ parameter="dns",
|
||||
+ value="default|none",
|
||||
+ missing_parameter_pass=false,
|
||||
+ application="NetworkManager",
|
||||
+ multi_value=false,
|
||||
+ missing_config_file_fail=true
|
||||
+)
|
||||
+}}}
|
||||
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..b644587b41
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
|
||||
@@ -0,0 +1,15 @@
|
||||
+checktext: |-
|
||||
+ [main]
|
||||
+ dns=none
|
||||
+
|
||||
+ If the dns key under main does not exist or is not set to "none" or "default", this is a finding.
|
||||
+
|
||||
+fixtext: |-
|
||||
+ Configure NetworkManager in RHEL 9 to use a DNS mode.
|
||||
+
|
||||
+ In "/etc/NetworkManager/NetworkManager.conf" add the following line in the "[main]" section:
|
||||
+
|
||||
+ dns = none
|
||||
+
|
||||
+srg_requirement: |-
|
||||
+ {{ full_name }} must configure a DNS processing mode set be Network Manager.
|
||||
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..8b703cb2f1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
|
||||
@@ -0,0 +1,34 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel9
|
||||
+
|
||||
+title: 'NetworkManager DNS Mode Must Be Must Configured'
|
||||
+
|
||||
+description:
|
||||
+ The DNS processing mode in NetworkManager describes how DNS is processed on the system.
|
||||
+ Depending the mode some changes the system's DNS may not be respected.
|
||||
+
|
||||
+rationale:
|
||||
+ To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel9: CCE-86805-9
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6(b)
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+
|
||||
+ocil_clause: 'the dns key under main does not exist or is not set to "none" or "default"'
|
||||
+
|
||||
+
|
||||
+ocil: |-
|
||||
+ Verify that {{{ full_name }}} has a DNS mode configured in Network Manager.
|
||||
+
|
||||
+ $ NetworkManager --print-config
|
||||
+ [main]
|
||||
+ dns={{{ xccdf_value("var_networkmanager_dns_mode") }}}
|
||||
+
|
||||
+platform: package[NetworkManager]
|
||||
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7af3e14fc3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# variables = var_networkmanager_dns_mode = none
|
||||
+# packages = NetworkManager
|
||||
+
|
||||
+cat > /etc/NetworkManager/NetworkManager.conf << EOM
|
||||
+[main]
|
||||
+dns=none
|
||||
+EOM
|
||||
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a19040e2d5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# variables = var_networkmanager_dns_mode = default
|
||||
+# packages = NetworkManager
|
||||
+
|
||||
+cat > /etc/NetworkManager/NetworkManager.conf << EOM
|
||||
+[main]
|
||||
+dns=default
|
||||
+EOM
|
||||
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b81d82c807
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+# variables = var_networkmanager_dns_mode = default
|
||||
+
|
||||
+sed '/^dns=.*$/d' /etc/NetworkManager/NetworkManager.conf
|
||||
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..6de904b372
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# variables = var_networkmanager_dns_mode = default
|
||||
+# packages = NetworkManager
|
||||
+
|
||||
+cat > /etc/NetworkManager/NetworkManager.conf << EOM
|
||||
+[main]
|
||||
+dns=dnsmasq
|
||||
+EOM
|
||||
diff --git a/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var b/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
|
||||
new file mode 100644
|
||||
index 0000000000..1be615dff9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
|
||||
@@ -0,0 +1,19 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'NetoworkManager DNS Mode'
|
||||
+
|
||||
+type: string
|
||||
+
|
||||
+description: |-
|
||||
+ This sets how NetworkManager handles DNS.
|
||||
+
|
||||
+ none - NetworkManager will not modify resolv.conf.
|
||||
+ default - NetworkManager will update /etc/resolv.conf to reflect the nameservers provided by currently active connections.
|
||||
+
|
||||
+interactive: true
|
||||
+
|
||||
+operator: 'equals'
|
||||
+
|
||||
+options:
|
||||
+ none: none
|
||||
+ default: default
|
||||
diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml
|
||||
index ee52a50f1f..4718c7cf71 100644
|
||||
--- a/shared/applicability/package.yml
|
||||
+++ b/shared/applicability/package.yml
|
||||
@@ -87,3 +87,5 @@ args:
|
||||
pkgname: zypper
|
||||
openssh:
|
||||
pkgname: openssh
|
||||
+ networkmanager:
|
||||
+ pkgname: NetworkManager
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 538d9d488d..60663b117a 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -459,7 +459,6 @@ CCE-86799-4
|
||||
CCE-86802-6
|
||||
CCE-86803-4
|
||||
CCE-86804-2
|
||||
-CCE-86805-9
|
||||
CCE-86806-7
|
||||
CCE-86807-5
|
||||
CCE-86808-3
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,67 +0,0 @@
|
||||
From 9062da533315a871939f3c22d4154e1f4141d432 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 5 Dec 2023 16:22:30 +0100
|
||||
Subject: [PATCH 13/14] Minor modifications to RHEL STIG profiles
|
||||
|
||||
Patch-name: scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
|
||||
Patch-status: Minor modifications to RHEL STIG profiles
|
||||
---
|
||||
controls/stig_rhel9.yml | 2 +-
|
||||
.../password_quality/passwd_system-auth_substack/rule.yml | 1 -
|
||||
.../audit_rules_immutable_login_uids/rule.yml | 1 +
|
||||
.../auditing/policy_rules/audit_immutable_login_uids/rule.yml | 2 --
|
||||
4 files changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
|
||||
index b576ba08c3..73d9e9e1aa 100644
|
||||
--- a/controls/stig_rhel9.yml
|
||||
+++ b/controls/stig_rhel9.yml
|
||||
@@ -4114,7 +4114,7 @@ controls:
|
||||
- medium
|
||||
title: RHEL 9 audit system must protect logon UIDs from unauthorized change.
|
||||
rules:
|
||||
- - audit_immutable_login_uids
|
||||
+ - audit_rules_immutable_login_uids
|
||||
status: automated
|
||||
|
||||
- id: RHEL-09-654275
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
|
||||
index 89b82af3f2..55d3e47a54 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
|
||||
@@ -19,7 +19,6 @@ references:
|
||||
nist: IA-5(1)(a),IA-5(1).1(v),IA-5(1)(a)
|
||||
srg: SRG-OS-000069-GPOS-00037
|
||||
stigid@ol7: OL07-00-010118
|
||||
- stigid@rhel7: RHEL-07-010118
|
||||
|
||||
ocil_clause: '/etc/pam.d/passwd does not implement /etc/pam.d/system-auth'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
|
||||
index 46e249efbb..6a8ea53fc5 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
|
||||
@@ -33,6 +33,7 @@ references:
|
||||
disa: CCI-000162,CCI-000163,CCI-000164
|
||||
srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
|
||||
stigid@rhel8: RHEL-08-030122
|
||||
+ stigid@rhel9: RHEL-09-654270
|
||||
|
||||
ocil_clause: 'the system is not configured to make login UIDs immutable'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
index 9f2f7dbc11..dbf1015a19 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
@@ -35,8 +35,6 @@ references:
|
||||
ospp: FAU_GEN.1.2
|
||||
srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
|
||||
stigid@ol8: OL08-00-030122
|
||||
- stigid@rhel8: RHEL-08-030122
|
||||
- stigid@rhel9: RHEL-09-654270
|
||||
|
||||
ocil_clause: 'the file does not exist or the content differs'
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
@ -5,39 +5,12 @@
|
||||
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.69
|
||||
Release: 3%{?dist}
|
||||
Version: 0.1.72
|
||||
Release: 1%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Fix rule enable_fips_mode
|
||||
Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
|
||||
Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
|
||||
# remove rules harden_sshd_(macs/ciphers)_openssh_conf_crypto_policy from STIG profile
|
||||
Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
|
||||
# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
|
||||
Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
|
||||
# Update sshd_approved_ciphers value for RHEL in STIG profile
|
||||
Patch5: scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
|
||||
# Add rule `package_s-nail-installed`
|
||||
Patch6: scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
|
||||
# New Rule networkmanager_dns_mode
|
||||
Patch7: scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
|
||||
# Add cron.deny Owership Rules
|
||||
Patch8: scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
|
||||
# Add RHEL 9 STIG
|
||||
Patch9: scap-security-guide-0.1.71-add_rhel9_stig-PR_11193.patch
|
||||
# Add var_networkmanager_dns_mode to RHEL 9 STIG
|
||||
Patch10: scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
|
||||
# Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
|
||||
Patch11: scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
|
||||
# Minor modifications to RHEL STIG profiles
|
||||
Patch12: scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
|
||||
# Add variable support to `auditd_name_format` rule
|
||||
Patch13: scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
|
||||
# Update ssh stig HMACS and Ciphers allowed in OL8 STIG
|
||||
Patch14: scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: libxslt
|
||||
@ -125,6 +98,15 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Feb 13 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
|
||||
- Rebase to a new upstream release 0.1.72 (RHEL-21425)
|
||||
- Check dropin files in /etc/systemd/journald.conf.d/ (RHEL-14484)
|
||||
- Fix remediation to not update comments (RHEL-1484)
|
||||
- Fix package check on SCAP tests for dnf settings (RHEL-17417)
|
||||
- Update description for audit_rules_kernel_module_loading (RHEL-1489)
|
||||
- Disable remediation for /dev/shm options in offline mode (RHEL-16801)
|
||||
- Include explanatory comment in the remediation of CCE-83871-4 (RHEL-17418)
|
||||
|
||||
* Tue Dec 05 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-3
|
||||
- Align STIG profile with official DISA STIG for RHEL 9 (RHEL-1807)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user