import scap-security-guide-0.1.66-2.el8_7
This commit is contained in:
parent
1d4339f8b0
commit
b2a3c09ec4
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.63.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.66.tar.bz2
|
||||
|
@ -1,2 +1,2 @@
|
||||
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2
|
||||
fdef63150c650bc29c06eea0aba6092688ab60a9 SOURCES/scap-security-guide-0.1.66.tar.bz2
|
||||
|
@ -1,8 +1,24 @@
|
||||
From 746381a4070fc561651ad65ec0fe9610e8590781 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 6 Feb 2023 14:44:17 +0100
|
||||
Subject: [PATCH] Disable profiles not in good shape
|
||||
|
||||
Patch-name: disable-not-in-good-shape-profiles.patch
|
||||
Patch-id: 0
|
||||
Patch-status: |
|
||||
Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
|
||||
---
|
||||
products/rhel8/CMakeLists.txt | 1 -
|
||||
products/rhel8/profiles/cjis.profile | 2 +-
|
||||
products/rhel8/profiles/rht-ccp.profile | 2 +-
|
||||
products/rhel8/profiles/standard.profile | 2 +-
|
||||
4 files changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
|
||||
index 5258591c7f..cc4b9c5720 100644
|
||||
index 9c044b68ab..8f6ca03de8 100644
|
||||
--- a/products/rhel8/CMakeLists.txt
|
||||
+++ b/products/rhel8/CMakeLists.txt
|
||||
@@ -11,7 +11,6 @@ ssg_build_product(${PRODUCT})
|
||||
@@ -10,7 +10,6 @@ ssg_build_product(${PRODUCT})
|
||||
ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
|
||||
|
||||
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist")
|
||||
@ -10,8 +26,8 @@ index 5258591c7f..cc4b9c5720 100644
|
||||
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
|
||||
|
||||
ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi")
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
|
||||
index 035d2705b..c6475f33e 100644
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
|
||||
index 22ae5aac72..f60b65bc06 100644
|
||||
--- a/products/rhel8/profiles/cjis.profile
|
||||
+++ b/products/rhel8/profiles/cjis.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -20,8 +36,8 @@ index 035d2705b..c6475f33e 100644
|
||||
|
||||
metadata:
|
||||
version: 5.4
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
|
||||
index c84579592..164ec98c4 100644
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
||||
index b192461f95..ae1e7d5a15 100644
|
||||
--- a/products/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/products/rhel8/profiles/rht-ccp.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -30,8 +46,8 @@ index c84579592..164ec98c4 100644
|
||||
|
||||
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
|
||||
|
||||
diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
|
||||
index a63ae2cf3..da669bb84 100644
|
||||
diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
|
||||
index a63ae2cf32..da669bb843 100644
|
||||
--- a/products/rhel8/profiles/standard.profile
|
||||
+++ b/products/rhel8/profiles/standard.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -41,5 +57,5 @@ index a63ae2cf3..da669bb84 100644
|
||||
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
|
||||
|
||||
--
|
||||
2.26.2
|
||||
2.39.1
|
||||
|
||||
|
@ -1,227 +0,0 @@
|
||||
From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Thu, 21 Jul 2022 16:42:41 +0200
|
||||
Subject: [PATCH 1/3] Add platforms for partition existence
|
||||
|
||||
---
|
||||
shared/applicability/general.yml | 14 +++++++++++++
|
||||
.../checks/oval/installed_env_mounts_tmp.xml | 10 +++++++++
|
||||
.../oval/installed_env_mounts_var_tmp.xml | 10 +++++++++
|
||||
shared/macros/10-ansible.jinja | 5 +++++
|
||||
shared/macros/10-bash.jinja | 5 +++++
|
||||
shared/macros/10-oval.jinja | 21 +++++++++++++++++++
|
||||
6 files changed, 65 insertions(+)
|
||||
create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
|
||||
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
|
||||
index 2d23d753148..e2f5d04ce00 100644
|
||||
--- a/shared/applicability/general.yml
|
||||
+++ b/shared/applicability/general.yml
|
||||
@@ -77,6 +77,20 @@ cpes:
|
||||
bash_conditional: {{{ bash_pkg_conditional("pam") }}}
|
||||
ansible_conditional: {{{ ansible_pkg_conditional("pam") }}}
|
||||
|
||||
+ - partition-var-tmp:
|
||||
+ name: "cpe:/a:partition-var-tmp"
|
||||
+ title: "There is a /var/tmp partition"
|
||||
+ check_id: installed_env_mounts_var_tmp
|
||||
+ bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}}
|
||||
+ ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}}
|
||||
+
|
||||
+ - partition-tmp:
|
||||
+ name: "cpe:/a:partition-tmp"
|
||||
+ title: "There is a /tmp partition"
|
||||
+ check_id: installed_env_mounts_tmp
|
||||
+ bash_conditional: {{{ bash_partition_conditional("/tmp") }}}
|
||||
+ ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}}
|
||||
+
|
||||
- polkit:
|
||||
name: "cpe:/a:polkit"
|
||||
title: "Package polkit is installed"
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
new file mode 100644
|
||||
index 00000000000..c1bcd6b2431
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
@@ -0,0 +1,10 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory" id="installed_env_mounts_tmp" version="1">
|
||||
+ {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}}
|
||||
+ <criteria>
|
||||
+ {{{ partition_exists_criterion("/tmp") }}}
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ {{{ partition_exists_tos("/tmp") }}}
|
||||
+</def-group>
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
new file mode 100644
|
||||
index 00000000000..a72f49c8a8f
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
@@ -0,0 +1,10 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory" id="installed_env_mounts_var_tmp" version="1">
|
||||
+ {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}}
|
||||
+ <criteria>
|
||||
+ {{{ partition_exists_criterion("/var/tmp") }}}
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ {{{ partition_exists_tos("/var/tmp") }}}
|
||||
+</def-group>
|
||||
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||
index 2d24f730d3f..478f0072bc7 100644
|
||||
--- a/shared/macros/10-ansible.jinja
|
||||
+++ b/shared/macros/10-ansible.jinja
|
||||
@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template.
|
||||
when:
|
||||
- result_pam_file_present.stat.exists
|
||||
{{%- endmacro -%}}
|
||||
+
|
||||
+
|
||||
+{{%- macro ansible_partition_conditional(path) -%}}
|
||||
+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
+{{%- endmacro -%}}
|
||||
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
|
||||
index 94c3c6f9570..6a7fb165fd2 100644
|
||||
--- a/shared/macros/10-bash.jinja
|
||||
+++ b/shared/macros/10-bash.jinja
|
||||
@@ -2085,3 +2085,8 @@ else
|
||||
echo "{{{ pam_file }}} was not found" >&2
|
||||
fi
|
||||
{{%- endmacro -%}}
|
||||
+
|
||||
+
|
||||
+{{%- macro bash_partition_conditional(path) -%}}
|
||||
+'findmnt --mountpoint "{{{ path }}}" > /dev/null'
|
||||
+{{%- endmacro -%}}
|
||||
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
|
||||
index c8d7bbeffb7..1ec93b6ef7d 100644
|
||||
--- a/shared/macros/10-oval.jinja
|
||||
+++ b/shared/macros/10-oval.jinja
|
||||
@@ -926,3 +926,24 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
|
||||
{{%- else %}}
|
||||
{{%- set user_list="nobody" %}}
|
||||
{{%- endif %}}
|
||||
+
|
||||
+
|
||||
+{{%- macro partition_exists_criterion(path) %}}
|
||||
+{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+ <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
+{{%- macro partition_exists_tos(path) %}}
|
||||
+{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+ <linux:partition_test check="all" check_existence="all_exist"
|
||||
+ comment="Partition {{{ path }}} exists"
|
||||
+ id="test_partition_{{{ escaped_path }}}_exists"
|
||||
+ version="1">
|
||||
+ <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
|
||||
+ {{#- <linux:partition_state state_ref="" /> #}}
|
||||
+ </linux:partition_test>
|
||||
+
|
||||
+ <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
|
||||
+ <linux:mount_point>{{{ path }}}</linux:mount_point>
|
||||
+ </linux:partition_object>
|
||||
+{{%- endmacro %}}
|
||||
|
||||
From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Thu, 21 Jul 2022 16:43:21 +0200
|
||||
Subject: [PATCH 2/3] Use partition exist platforms on a real rule
|
||||
|
||||
---
|
||||
.../partitions/mount_option_var_tmp_nodev/rule.yml | 3 ++-
|
||||
.../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh | 5 +++++
|
||||
2 files changed, 7 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||
index 8ee8c8b12e0..741d0973283 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||
@@ -38,7 +38,8 @@ references:
|
||||
stigid@ol8: OL08-00-040132
|
||||
stigid@rhel8: RHEL-08-040132
|
||||
|
||||
-platform: machine
|
||||
+platforms:
|
||||
+ - machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..241c0103d82
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it
|
||||
|
||||
From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 11:32:38 +0200
|
||||
Subject: [PATCH 3/3] Improve code style
|
||||
|
||||
- Improve description of OVAL macro
|
||||
- Use the escape_id filter to produce IDs
|
||||
---
|
||||
shared/checks/oval/installed_env_mounts_tmp.xml | 2 +-
|
||||
shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +-
|
||||
shared/macros/10-oval.jinja | 7 +++----
|
||||
3 files changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
index c1bcd6b2431..edd8ad050f5 100644
|
||||
--- a/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
@@ -6,5 +6,5 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- {{{ partition_exists_tos("/tmp") }}}
|
||||
+ {{{ partition_exists_test_object("/tmp") }}}
|
||||
</def-group>
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
index a72f49c8a8f..cf9aafbdb04 100644
|
||||
--- a/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
@@ -6,5 +6,5 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- {{{ partition_exists_tos("/var/tmp") }}}
|
||||
+ {{{ partition_exists_test_object("/var/tmp") }}}
|
||||
</def-group>
|
||||
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
|
||||
index 1ec93b6ef7d..f302091f7df 100644
|
||||
--- a/shared/macros/10-oval.jinja
|
||||
+++ b/shared/macros/10-oval.jinja
|
||||
@@ -929,18 +929,17 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
|
||||
|
||||
|
||||
{{%- macro partition_exists_criterion(path) %}}
|
||||
-{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+{{%- set escaped_path = path | escape_id %}}
|
||||
<criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
|
||||
{{%- endmacro %}}
|
||||
|
||||
-{{%- macro partition_exists_tos(path) %}}
|
||||
-{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+{{%- macro partition_exists_test_object(path) %}}
|
||||
+{{%- set escaped_path = path | escape_id %}}
|
||||
<linux:partition_test check="all" check_existence="all_exist"
|
||||
comment="Partition {{{ path }}} exists"
|
||||
id="test_partition_{{{ escaped_path }}}_exists"
|
||||
version="1">
|
||||
<linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
|
||||
- {{#- <linux:partition_state state_ref="" /> #}}
|
||||
</linux:partition_test>
|
||||
|
||||
<linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
|
@ -1,92 +0,0 @@
|
||||
From 51d7ee352dd2e90cb711d949cc59fb36c7fbe5da Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 13:35:50 +0200
|
||||
Subject: [PATCH] Add the platform applicability to relevant rules
|
||||
|
||||
---
|
||||
.../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_var_tmp_bind/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +-
|
||||
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||
index 45a73e0286a..79a19a8d30b 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||
@@ -45,7 +45,7 @@ references:
|
||||
stigid@ol8: OL08-00-040123
|
||||
stigid@rhel8: RHEL-08-040123
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||
index 7356183bab3..d3f6d6175e5 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||
@@ -44,7 +44,7 @@ references:
|
||||
stigid@ol8: OL08-00-040125
|
||||
stigid@rhel8: RHEL-08-040125
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||
index d153b86934f..10790dc95a7 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||
@@ -45,7 +45,7 @@ references:
|
||||
stigid@ol8: OL08-00-040124
|
||||
stigid@rhel8: RHEL-08-040124
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||
index 133e7727ca7..05992df4b49 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||
@@ -31,7 +31,7 @@ references:
|
||||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||||
nist-csf: PR.IP-1,PR.PT-3
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||
index 39fd458ec6b..dc00b2f2376 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||
@@ -38,7 +38,7 @@ references:
|
||||
stigid@ol8: OL08-00-040134
|
||||
stigid@rhel8: RHEL-08-040134
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||
index 349f3348955..f0c26b6d9c5 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||
@@ -38,7 +38,7 @@ references:
|
||||
stigid@ol8: OL08-00-040133
|
||||
stigid@rhel8: RHEL-08-040133
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
@ -1,48 +0,0 @@
|
||||
From 779ffcf0a51a1ad5a13e5b8ee29ce044d93eca55 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 15 Aug 2022 13:14:58 +0200
|
||||
Subject: [PATCH 1/2] Access the mounts via ansible_mounts
|
||||
|
||||
It seems that the data about ansible_mounts should be accessed without
|
||||
the 'ansible_facts' prefix.
|
||||
---
|
||||
shared/macros/10-ansible.jinja | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||
index 478f0072bc7..e8bff0973f5 100644
|
||||
--- a/shared/macros/10-ansible.jinja
|
||||
+++ b/shared/macros/10-ansible.jinja
|
||||
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
|
||||
|
||||
|
||||
{{%- macro ansible_partition_conditional(path) -%}}
|
||||
-"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
+"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
{{%- endmacro -%}}
|
||||
|
||||
From 4963d70d565919d0db6c0bc35f3fd4274d474310 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 15 Aug 2022 13:16:24 +0200
|
||||
Subject: [PATCH 2/2] Avoid use of json_query and additional dependency
|
||||
|
||||
The json_query filter requires package jmespath to be installed.
|
||||
|
||||
This also avoids mismatchs in python version between ansible and
|
||||
python3-jmespath. Some distros (RHEL8) don't have jmespath module
|
||||
available for the same python version ansible is using.
|
||||
---
|
||||
shared/macros/10-ansible.jinja | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||
index e8bff0973f5..beb2bc11403 100644
|
||||
--- a/shared/macros/10-ansible.jinja
|
||||
+++ b/shared/macros/10-ansible.jinja
|
||||
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
|
||||
|
||||
|
||||
{{%- macro ansible_partition_conditional(path) -%}}
|
||||
-"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
+'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list'
|
||||
{{%- endmacro -%}}
|
@ -1,33 +0,0 @@
|
||||
From 61ff9fd6f455ee49608cab2c851a3819c180c30a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 16 Aug 2022 18:53:02 +0200
|
||||
Subject: [PATCH] Don't fail rule if /etc/grubenv missing on s390x
|
||||
|
||||
There is no need to check /etc/grubenv for fips=1 on s390x systems, it
|
||||
uses zIPL.
|
||||
---
|
||||
.../integrity/fips/enable_fips_mode/oval/shared.xml | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index 65056a654c6..7af675de0d3 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -7,9 +7,16 @@
|
||||
<extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
|
||||
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
|
||||
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
|
||||
- {{% if product in ["ol8","rhel8"] %}}
|
||||
+ {{% if product in ["ol8"] %}}
|
||||
<criterion comment="check if the kernel boot parameter is configured for FIPS mode"
|
||||
test_ref="test_grubenv_fips_mode" />
|
||||
+ {{% elif product in ["rhel8"] %}}
|
||||
+ <criteria operator="OR">
|
||||
+ <extend_definition comment="Generic test for s390x architecture"
|
||||
+ definition_ref="system_info_architecture_s390_64" />
|
||||
+ <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
|
||||
+ test_ref="test_grubenv_fips_mode" />
|
||||
+ </criteria>
|
||||
{{% endif %}}
|
||||
</criteria>
|
||||
</definition>
|
@ -1,107 +0,0 @@
|
||||
From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 12:45:24 +0200
|
||||
Subject: [PATCH] Fix rule sudo_custom_logfile
|
||||
|
||||
- Allow only white space after the Default keyword to avoid
|
||||
matching words that only start with Default.
|
||||
- If the variable value contains slashes they need to be escaped
|
||||
because the sed command uses slashes as a separator, otherwise
|
||||
the sed doesn't replace the wrong line during a remediation.
|
||||
|
||||
Also adds 2 test scenarios.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109
|
||||
---
|
||||
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
|
||||
.../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++
|
||||
.../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++
|
||||
shared/templates/sudo_defaults_option/ansible.template | 2 +-
|
||||
shared/templates/sudo_defaults_option/bash.template | 5 +++--
|
||||
shared/templates/sudo_defaults_option/oval.template | 2 +-
|
||||
6 files changed, 14 insertions(+), 5 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
index 739f5f14936..94fbaaa33ed 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo'
|
||||
|
||||
ocil: |-
|
||||
To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
|
||||
- <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
|
||||
+ <pre>$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
|
||||
The command should return a matching output.
|
||||
|
||||
template:
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..13ff4559edb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ec24854f0f9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers
|
||||
diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template
|
||||
index 094fa430b64..c9e344ec772 100644
|
||||
--- a/shared/templates/sudo_defaults_option/ansible.template
|
||||
+++ b/shared/templates/sudo_defaults_option/ansible.template
|
||||
@@ -8,7 +8,7 @@
|
||||
- name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers
|
||||
lineinfile:
|
||||
path: /etc/sudoers
|
||||
- regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$'
|
||||
+ regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$'
|
||||
line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2'
|
||||
validate: /usr/sbin/visudo -cf %s
|
||||
backrefs: yes
|
||||
diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template
|
||||
index e3563d42db6..e7d962a668d 100644
|
||||
--- a/shared/templates/sudo_defaults_option/bash.template
|
||||
+++ b/shared/templates/sudo_defaults_option/bash.template
|
||||
@@ -9,7 +9,7 @@
|
||||
{{% endif %}}
|
||||
if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||
cp /etc/sudoers /etc/sudoers.bak
|
||||
- if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
|
||||
+ if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
|
||||
# sudoers file doesn't define Option {{{ OPTION }}}
|
||||
echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers
|
||||
{{%- if not VARIABLE_NAME %}}
|
||||
@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||
{{% if '/' in OPTION %}}
|
||||
{{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}}
|
||||
{{% endif %}}
|
||||
- sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers
|
||||
+ escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}}
|
||||
+ sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
|
||||
fi
|
||||
fi
|
||||
{{% endif %}}
|
||||
diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template
|
||||
index c0d81c95093..a9636a7204a 100644
|
||||
--- a/shared/templates/sudo_defaults_option/oval.template
|
||||
+++ b/shared/templates/sudo_defaults_option/oval.template
|
||||
@@ -13,7 +13,7 @@
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="object_{{{ OPTION }}}_sudoers" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal" >1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
@ -1,967 +0,0 @@
|
||||
From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Wed, 13 Apr 2022 20:06:18 +0800
|
||||
Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard
|
||||
|
||||
This patch fixes the issue that the array is expanded to wildcard path instead of its elements.
|
||||
A simple test case as follows:
|
||||
|
||||
/etc/rsyslog.conf
|
||||
include(file="/etc/rsyslog.d/*.conf" mode="optional")
|
||||
|
||||
/etc/rsyslog.d/custom1.conf
|
||||
local1.* /tmp/local1.out
|
||||
|
||||
/etc/rsyslog.d/custom2.conf
|
||||
local2.* /tmp/local2.out
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index b794ea8db31..02b0c36d899 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -5,8 +5,8 @@
|
||||
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
|
||||
+readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
|
||||
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Thu, 14 Apr 2022 15:58:04 +0800
|
||||
Subject: [PATCH 02/15] A better fix.
|
||||
|
||||
* Should also fixed the CI failure.
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 02b0c36d899..1aebb8f9da5 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -5,8 +5,10 @@
|
||||
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
|
||||
-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
|
||||
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
||||
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
||||
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 15 Apr 2022 10:47:37 +0800
|
||||
Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog
|
||||
|
||||
---
|
||||
.../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++
|
||||
.../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++
|
||||
2 files changed, 113 insertions(+)
|
||||
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
new file mode 100755
|
||||
index 00000000000..7cb09128d78
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -0,0 +1,56 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
||||
+
|
||||
+# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||
+# log file permissions 0600 from $IncludeConfig passes.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS=0600
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+mkdir ${conf_subdir}
|
||||
+test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+cat << EOF > ${test_subdir_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+EOF
|
||||
+
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+
|
||||
+EOF
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
new file mode 100755
|
||||
index 00000000000..942eaf086a1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -0,0 +1,57 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
||||
+
|
||||
+# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||
+# log file permissions 0601 from $IncludeConfig fails.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS_PASS=0600
|
||||
+PERMS_FAIL=0601
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+mkdir ${conf_subdir}
|
||||
+test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+cat << EOF > ${test_subdir_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+EOF
|
||||
+
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+
|
||||
+EOF
|
||||
|
||||
From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Thu, 19 May 2022 01:22:19 +0800
|
||||
Subject: [PATCH 04/15] The way using 'find' can be retired.
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 20 +++++--------------
|
||||
1 file changed, 5 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 1aebb8f9da5..cece5930ee8 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
-RSYSLOG_CONFIGS=()
|
||||
-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
+declare -a RSYSLOG_CONFIGS
|
||||
+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
|
||||
-# Get full list of files to be checked
|
||||
-# RSYSLOG_CONFIGS may contain globs such as
|
||||
-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
|
||||
-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
|
||||
-RSYSLOG_FILES=()
|
||||
-for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
-do
|
||||
- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")")
|
||||
- RSYSLOG_FILES+=("${FINDOUT[@]}")
|
||||
-done
|
||||
-
|
||||
-# Check file and fix if needed.
|
||||
-for LOG_FILE in "${RSYSLOG_FILES[@]}"
|
||||
+# Browse each file selected above as containing paths of log files
|
||||
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
||||
+for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
|
||||
do
|
||||
# From each of these files extract just particular log file path(s), thus:
|
||||
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
||||
|
||||
From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 20 May 2022 01:30:37 +0800
|
||||
Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/'
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index cece5930ee8..50d36d7426f 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
+# Array to hold all rsyslog config entries
|
||||
declare -a RSYSLOG_CONFIGS
|
||||
RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
|
||||
+# Array to hold all rsyslog config files
|
||||
+declare -a RSYSLOG_CONFIG_FILES
|
||||
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
+do
|
||||
+ # If directory, need to include files recursively
|
||||
+ if [ -d "${ENTRY}" ]
|
||||
+ then
|
||||
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
|
||||
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||
+ elif [ -f "${ENTRY}" ]
|
||||
+ then
|
||||
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
|
||||
+ else
|
||||
+ echo "Invalid include object: ${ENTRY}"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
# Browse each file selected above as containing paths of log files
|
||||
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
||||
-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
|
||||
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
|
||||
do
|
||||
# From each of these files extract just particular log file path(s), thus:
|
||||
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
||||
|
||||
From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 20 May 2022 01:46:33 +0800
|
||||
Subject: [PATCH 06/15] Update test files.
|
||||
|
||||
---
|
||||
.../tests/include_config_syntax_perms_0600.pass.sh | 2 ++
|
||||
.../tests/include_config_syntax_perms_0601.fail.sh | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
index 7cb09128d78..2ddd9fcb697 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF
|
||||
|
||||
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
|
||||
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
|
||||
|
||||
EOF
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index 942eaf086a1..73ff3332c6d 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF
|
||||
|
||||
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
|
||||
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
|
||||
|
||||
EOF
|
||||
|
||||
From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 20 May 2022 10:03:32 +0800
|
||||
Subject: [PATCH 07/15] Rsyslog says we should include all files
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
||||
.../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++-
|
||||
.../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++-
|
||||
3 files changed, 31 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 50d36d7426f..cd5014105e9 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -24,7 +24,7 @@ do
|
||||
# If directory, need to include files recursively
|
||||
if [ -d "${ENTRY}" ]
|
||||
then
|
||||
- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
|
||||
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f)
|
||||
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||
elif [ -f "${ENTRY}" ]
|
||||
then
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
index 2ddd9fcb697..755865ca522 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh
|
||||
PERMS=0600
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 3
|
||||
+create_rsyslog_test_logs 4
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
|
||||
|
||||
# create test configuration file
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
mkdir ${conf_subdir}
|
||||
test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+
|
||||
cat << EOF > ${test_subdir_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
@@ -31,12 +35,22 @@ EOF
|
||||
|
||||
cat << EOF > ${test_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_bak}
|
||||
+# rsyslog configuration file
|
||||
+# test_bak
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index 73ff3332c6d..063b1a0cbe5 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -10,20 +10,24 @@ PERMS_PASS=0600
|
||||
PERMS_FAIL=0601
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 3
|
||||
+create_rsyslog_test_logs 4
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
|
||||
|
||||
# create test configuration file
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
mkdir ${conf_subdir}
|
||||
test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+
|
||||
cat << EOF > ${test_subdir_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
@@ -32,12 +36,22 @@ EOF
|
||||
|
||||
cat << EOF > ${test_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_bak}
|
||||
+# rsyslog configuration file
|
||||
+# test_bak
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
|
||||
From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Sat, 21 May 2022 16:02:26 +0800
|
||||
Subject: [PATCH 08/15] Match glob() function of rsyslog
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 5 ++-
|
||||
.../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++-------
|
||||
.../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++-------
|
||||
3 files changed, 55 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index cd5014105e9..38105bf086b 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS
|
||||
declare -a RSYSLOG_CONFIG_FILES
|
||||
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
do
|
||||
- # If directory, need to include files recursively
|
||||
+ # If directory, rsyslog will search for config files in recursively.
|
||||
+ # However, files in hidden sub-directories or hidden files will be ignored.
|
||||
if [ -d "${ENTRY}" ]
|
||||
then
|
||||
- readarray -t FINDOUT < <(find "${ENTRY}" -type f)
|
||||
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
|
||||
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||
elif [ -f "${ENTRY}" ]
|
||||
then
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
index 755865ca522..a5a2f67fadc 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh
|
||||
PERMS=0600
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 4
|
||||
+create_rsyslog_test_logs 5
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[4]}
|
||||
|
||||
-# create test configuration file
|
||||
+# create test configuration files
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
|
||||
mkdir ${conf_subdir}
|
||||
-test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+mkdir ${conf_hiddir}
|
||||
|
||||
-cat << EOF > ${test_subdir_conf}
|
||||
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
|
||||
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
|
||||
+
|
||||
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
|
||||
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
|
||||
+
|
||||
+cat << EOF > ${test_conf_in_subdir}
|
||||
# rsyslog configuration file
|
||||
-# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_conf}
|
||||
+cat << EOF > ${test_conf_name_bak}
|
||||
# rsyslog configuration file
|
||||
-# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_bak}
|
||||
+cat << EOF > ${test_conf_in_hiddir}
|
||||
# rsyslog configuration file
|
||||
-# test_bak
|
||||
+# not used
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_conf_dot_name}
|
||||
+# rsyslog configuration file
|
||||
+# not used
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[4]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index 063b1a0cbe5..a9d0adfb727 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -10,48 +10,61 @@ PERMS_PASS=0600
|
||||
PERMS_FAIL=0601
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 4
|
||||
+create_rsyslog_test_logs 5
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]}
|
||||
|
||||
-# create test configuration file
|
||||
+# create test configuration files
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
|
||||
mkdir ${conf_subdir}
|
||||
-test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+mkdir ${conf_hiddir}
|
||||
|
||||
-cat << EOF > ${test_subdir_conf}
|
||||
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
|
||||
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
|
||||
+
|
||||
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
|
||||
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
|
||||
+
|
||||
+cat << EOF > ${test_conf_in_subdir}
|
||||
# rsyslog configuration file
|
||||
-# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_conf}
|
||||
+cat << EOF > ${test_conf_name_bak}
|
||||
# rsyslog configuration file
|
||||
-# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_bak}
|
||||
+cat << EOF > ${test_conf_in_hiddir}
|
||||
# rsyslog configuration file
|
||||
-# test_bak
|
||||
+# not used
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_conf_dot_name}
|
||||
+# rsyslog configuration file
|
||||
+# not used
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[4]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
|
||||
From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Sun, 22 May 2022 21:10:16 +0800
|
||||
Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 38105bf086b..e1129e34c81 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -54,7 +54,7 @@ do
|
||||
then
|
||||
NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
|
||||
LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
|
||||
- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
|
||||
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}")
|
||||
CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
|
||||
MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
|
||||
# Since above sed command might return more than one item (delimited by newline), split the particular
|
||||
|
||||
From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Tue, 24 May 2022 00:42:17 +0800
|
||||
Subject: [PATCH 10/15] Added platform.
|
||||
|
||||
---
|
||||
.../tests/include_config_syntax_perms_0601.fail.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index a9d0adfb727..fe4db0a3c91 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -1,5 +1,5 @@
|
||||
#!/bin/bash
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
||||
|
||||
# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||
# log file permissions 0601 from $IncludeConfig fails.
|
||||
|
||||
From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 13:56:39 +0200
|
||||
Subject: [PATCH 11/15] Reset the arrays before using them
|
||||
|
||||
When bash remediations for a profile are generated, it can happen that a
|
||||
variable with same name is used for multiple remediations.
|
||||
So let's reset the array before using it.
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index e1129e34c81..d1856ffbe7b 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
# Array to hold all rsyslog config entries
|
||||
-declare -a RSYSLOG_CONFIGS
|
||||
-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
+RSYSLOG_CONFIGS=()
|
||||
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
|
||||
-# Array to hold all rsyslog config files
|
||||
-declare -a RSYSLOG_CONFIG_FILES
|
||||
+# Get full list of files to be checked
|
||||
+# RSYSLOG_CONFIGS may contain globs such as
|
||||
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
|
||||
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
|
||||
+RSYSLOG_CONFIG_FILES=()
|
||||
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
do
|
||||
# If directory, rsyslog will search for config files in recursively.
|
||||
|
||||
From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 14:55:37 +0200
|
||||
Subject: [PATCH 12/15] Don't parse hidden config files for Includes
|
||||
|
||||
Let's follow rsyslog behavior and not capture process hidden config
|
||||
files for includes.
|
||||
---
|
||||
.../rsyslog_files_permissions/oval/shared.xml | 9 ++++
|
||||
...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++
|
||||
2 files changed, 62 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
index a04e6fd8900..d13177216c3 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
@@ -17,8 +17,17 @@
|
||||
<ind:filepath>/etc/rsyslog.conf</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <filter action="exclude">state_permissions_ignore_hidden_paths</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_permissions_ignore_hidden_paths" comment="ignore hidden conf files" version="1">
|
||||
+ <!-- Among the paths matched in object_rfp_rsyslog_include_config_value there can be paths from
|
||||
+ include() or $IncludeConfig that point to hidden dirs or files.
|
||||
+ Rsyslog ignores these conf files, so we should ignore them too.
|
||||
+ -->
|
||||
+ <ind:subexpression operation="pattern match">^.*\/\..*$</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
<!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
|
||||
<local_variable id="var_rfp_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
|
||||
<unique>
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..9b0185c6b2f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||
@@ -0,0 +1,53 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
|
||||
+
|
||||
+# Check rsyslog.conf with log file permisssions 0600 from rules and
|
||||
+# log file permissions 0601 from include() fails.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS_PASS=0600
|
||||
+PERMS_FAIL=0601
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# create hidden test2 configuration file
|
||||
+test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf
|
||||
+cat << EOF > ${test_conf2}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+EOF
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${test_conf}")
|
||||
+
|
||||
+\$IncludeConfig ${test_conf2}
|
||||
+EOF
|
||||
|
||||
From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 15:49:11 +0200
|
||||
Subject: [PATCH 13/15] Add test for for missing rsyslog included files
|
||||
|
||||
The rsyslog conf file may include other config files.
|
||||
If the included missing files are missing rsyslog will generate an
|
||||
error, but will still continue working.
|
||||
https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file
|
||||
|
||||
There is not a good way of ensuring that all files defined in a list of paths exist.
|
||||
---
|
||||
...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++
|
||||
1 file changed, 45 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..b929f2a94ab
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||
@@ -0,0 +1,45 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
|
||||
+
|
||||
+# Check rsyslog.conf with log file permisssions 0600 from rules and
|
||||
+# log file permissions 0601 from include() fails.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS_PASS=0600
|
||||
+PERMS_FAIL=0601
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# Skip creation test2 configuration file
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${test_conf}")
|
||||
+
|
||||
+\$IncludeConfig ${test_conf2}
|
||||
+EOF
|
||||
|
||||
From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 21:47:18 +0200
|
||||
Subject: [PATCH 14/15] Align Ansible remediation with Bash
|
||||
|
||||
The remediation now expands the glob expressions and doesn't collect
|
||||
hidden files or directories to check for their permissions.
|
||||
---
|
||||
.../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++----
|
||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
index 635b72f7352..c558bf46c71 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
@@ -19,19 +19,26 @@
|
||||
shell: |
|
||||
set -o pipefail
|
||||
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
|
||||
- register: include_config_output
|
||||
+ register: rsyslog_old_inc
|
||||
changed_when: False
|
||||
|
||||
- name: "Get include files directives"
|
||||
shell: |
|
||||
set -o pipefail
|
||||
grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
|
||||
- register: include_files_output
|
||||
+ register: rsyslog_new_inc
|
||||
changed_when: False
|
||||
|
||||
+- name: "Expand glob expressions"
|
||||
+ shell: |
|
||||
+ set -o pipefail
|
||||
+ eval printf '%s\\n' {{ item }}
|
||||
+ register: include_config_output
|
||||
+ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
|
||||
+
|
||||
- name: "List all config files"
|
||||
- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")"
|
||||
- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}"
|
||||
+ shell: find {{ item }} -not -path "*/.*" -type f
|
||||
+ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
|
||||
register: rsyslog_config_files
|
||||
changed_when: False
|
||||
|
||||
|
||||
From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 21:56:05 +0200
|
||||
Subject: [PATCH 15/15] Ignore invalid or non existing include objects
|
||||
|
||||
Let's not fail the task when the find doesn't find the include object.
|
||||
When the include is a glob expression that doesn't evaluate to any file
|
||||
the glob itself is used in find command.
|
||||
|
||||
The Bash remediation prints a message for each include that is not a
|
||||
file is not a directory or doesn't exist.
|
||||
---
|
||||
.../rsyslog_files_permissions/ansible/shared.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
index c558bf46c71..3a9380cf13b 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
@@ -40,6 +40,7 @@
|
||||
shell: find {{ item }} -not -path "*/.*" -type f
|
||||
loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
|
||||
register: rsyslog_config_files
|
||||
+ failed_when: False
|
||||
changed_when: False
|
||||
|
||||
- name: "Extract log files"
|
@ -1,90 +0,0 @@
|
||||
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:15 +0200
|
||||
Subject: [PATCH 1/4] fix ospp references
|
||||
|
||||
---
|
||||
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
index c151d3c4aa1..f9b46c51ddd 100644
|
||||
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
@@ -34,6 +34,7 @@ references:
|
||||
disa: CCI-000213
|
||||
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth
|
||||
nist: AC-3
|
||||
+ ospp: FIA_UAU.1,FIA_AFL.1
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
|
||||
ocil: |-
|
||||
|
||||
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:42 +0200
|
||||
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
|
||||
|
||||
---
|
||||
products/rhel9/profiles/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index b47630c62b0..dcc41970043 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -115,7 +115,7 @@ selections:
|
||||
- coredump_disable_storage
|
||||
- coredump_disable_backtraces
|
||||
- service_systemd-coredump_disabled
|
||||
- - var_authselect_profile=sssd
|
||||
+ - var_authselect_profile=minimal
|
||||
- enable_authselect
|
||||
- use_pam_wheel_for_su
|
||||
|
||||
|
||||
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:54 +0200
|
||||
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
|
||||
|
||||
---
|
||||
products/rhel8/profiles/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||
index 39ad1797c7a..ebec8a3a6f9 100644
|
||||
--- a/products/rhel8/profiles/ospp.profile
|
||||
+++ b/products/rhel8/profiles/ospp.profile
|
||||
@@ -220,7 +220,7 @@ selections:
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- accounts_max_concurrent_login_sessions
|
||||
- securetty_root_login_console_only
|
||||
- - var_authselect_profile=sssd
|
||||
+ - var_authselect_profile=minimal
|
||||
- enable_authselect
|
||||
- var_password_pam_unix_remember=5
|
||||
- accounts_password_pam_unix_remember
|
||||
|
||||
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 13:55:05 +0200
|
||||
Subject: [PATCH 4/4] update profile stability test
|
||||
|
||||
---
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 5d73a8c6fef..21e93e310d5 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -242,7 +242,7 @@ selections:
|
||||
- var_slub_debug_options=P
|
||||
- var_auditd_flush=incremental_async
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
-- var_authselect_profile=sssd
|
||||
+- var_authselect_profile=minimal
|
||||
- var_password_pam_unix_remember=5
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
@ -1,50 +0,0 @@
|
||||
From b36ecf8942ce8dea0c4a2b06b4607259deaf3613 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 09:59:57 +0200
|
||||
Subject: [PATCH] switch rule grub2_disable_interactive_boot for
|
||||
grub2_disable_recovery in rhel8 ospp
|
||||
|
||||
---
|
||||
.../system/bootloader-grub2/grub2_disable_recovery/rule.yml | 1 +
|
||||
products/rhel8/profiles/ospp.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||
4 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||
index 4f8d4ddcfde..fb126cbe7d8 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||
@@ -17,6 +17,7 @@ rationale: |-
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
+ cce@rhel8: CCE-86006-4
|
||||
cce@rhel9: CCE-85986-8
|
||||
|
||||
references:
|
||||
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||
index ebec8a3a6f9..6e3b30f64bb 100644
|
||||
--- a/products/rhel8/profiles/ospp.profile
|
||||
+++ b/products/rhel8/profiles/ospp.profile
|
||||
@@ -304,7 +304,7 @@ selections:
|
||||
## Disable Unauthenticated Login (such as Guest Accounts)
|
||||
## FIA_UAU.1
|
||||
- require_singleuser_auth
|
||||
- - grub2_disable_interactive_boot
|
||||
+ - grub2_disable_recovery
|
||||
- grub2_uefi_password
|
||||
- no_empty_passwords
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 21e93e310d5..267b66a4f89 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -89,7 +89,7 @@ selections:
|
||||
- ensure_redhat_gpgkey_installed
|
||||
- grub2_audit_argument
|
||||
- grub2_audit_backlog_limit_argument
|
||||
-- grub2_disable_interactive_boot
|
||||
+- grub2_disable_recovery
|
||||
- grub2_kernel_trust_cpu_rng
|
||||
- grub2_page_poison_argument
|
||||
- grub2_pti_argument
|
@ -1,97 +0,0 @@
|
||||
From 95b79ffa7e9247bd65a92311b92e37b0d83e4432 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Aug 2022 15:01:42 +0200
|
||||
Subject: [PATCH] Add rsyslogd to the list of tools check by aide
|
||||
|
||||
RHEL products will also check for integrity of /usr/sbin/rsyslogd.
|
||||
---
|
||||
.../aide/aide_check_audit_tools/ansible/shared.yml | 1 +
|
||||
.../aide/aide_check_audit_tools/bash/shared.sh | 3 +--
|
||||
.../aide/aide_check_audit_tools/oval/shared.xml | 2 +-
|
||||
.../aide/aide_check_audit_tools/tests/correct.pass.sh | 2 +-
|
||||
.../aide_check_audit_tools/tests/correct_with_selinux.pass.sh | 2 +-
|
||||
.../aide/aide_check_audit_tools/tests/not_config.fail.sh | 2 +-
|
||||
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||
index 9d1b7b675c9..5905ea8d0e6 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||
@@ -22,6 +22,7 @@
|
||||
- /usr/sbin/aureport
|
||||
- /usr/sbin/ausearch
|
||||
- /usr/sbin/autrace
|
||||
+ {{% if product == 'ol8' or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}}
|
||||
|
||||
- name: Ensure existing AIDE configuration for audit tools are correct
|
||||
lineinfile:
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||
index d0a1ba2522f..a81e25c3950 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||
@@ -18,12 +18,11 @@
|
||||
{{% set auditfiles = auditfiles + ["/usr/sbin/audispd"] %}}
|
||||
{{% endif %}}
|
||||
|
||||
-{{% if product == 'ol8' %}}
|
||||
+{{% if product == 'ol8' or 'rhel' in product %}}
|
||||
{{% set auditfiles = auditfiles + ["/usr/sbin/rsyslogd"] %}}
|
||||
{{% endif %}}
|
||||
|
||||
{{% for file in auditfiles %}}
|
||||
-
|
||||
if grep -i '^.*{{{file}}}.*$' {{{ aide_conf_path }}}; then
|
||||
sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}}
|
||||
else
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||
index 6ce56c1137a..ca9bf4f94d0 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||
@@ -11,7 +11,7 @@
|
||||
{{% if 'rhel' not in product and product != 'ol8' %}}
|
||||
<criterion comment="audispd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_audispd" />
|
||||
{{% endif %}}
|
||||
- {{% if product == 'ol8' %}}
|
||||
+ {{% if product == 'ol8' or 'rhel' in product %}}
|
||||
<criterion comment="rsyslogd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_rsyslogd" />
|
||||
{{% endif %}}
|
||||
<criterion comment="augenrules is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_augenrules" />
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||
index 756b88d8a23..071dde13295 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||
@@ -7,7 +7,7 @@ aide --init
|
||||
|
||||
|
||||
declare -a bins
|
||||
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||
|
||||
for theFile in "${bins[@]}"
|
||||
do
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||
index f3a2a126d3d..cb9bbfa7350 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||
@@ -4,7 +4,7 @@
|
||||
yum -y install aide
|
||||
|
||||
declare -a bins
|
||||
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||
|
||||
for theFile in "${bins[@]}"
|
||||
do
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||
index 4315cef2073..a22aecb0000 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||
@@ -6,7 +6,7 @@ yum -y install aide
|
||||
aide --init
|
||||
|
||||
declare -a bins
|
||||
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||
|
||||
for theFile in "${bins[@]}"
|
||||
do
|
File diff suppressed because one or more lines are too long
@ -1,187 +0,0 @@
|
||||
From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 1 Aug 2022 17:50:37 +0200
|
||||
Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding
|
||||
|
||||
This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and
|
||||
sysctl_net_ipv4_forward.
|
||||
---
|
||||
.../rule.yml | 44 +++++++++++++++++++
|
||||
...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
3 files changed, 61 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..7b0066f7c29
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
@@ -0,0 +1,44 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ IP forwarding permits the kernel to forward packets from one network
|
||||
+ interface to another. The ability to forward packets between two networks is
|
||||
+ only appropriate for systems acting as routers.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: CCE-86220-1
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6(b)
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+ stigid@rhel8: RHEL-08-040259
|
||||
+
|
||||
+ocil_clause: 'IP forwarding value is "1" and the system is not router'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}
|
||||
+ The ability to forward packets is only appropriate for routers.
|
||||
+
|
||||
+fixtext: |-
|
||||
+ Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands:
|
||||
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}}
|
||||
+
|
||||
+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.'
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: net.ipv4.conf.all.forwarding
|
||||
+ datatype: int
|
||||
+
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||
new file mode 100644
|
||||
index 00000000000..2aedd6e6432
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||
@@ -0,0 +1,17 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: net.ipv4.conf.all.forwarding
|
||||
+
|
||||
+description: 'Toggle IPv4 Forwarding'
|
||||
+
|
||||
+type: number
|
||||
+
|
||||
+operator: equals
|
||||
+
|
||||
+interactive: false
|
||||
+
|
||||
+options:
|
||||
+ default: "0"
|
||||
+ disabled: "0"
|
||||
+ enabled: 1
|
||||
+
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 914233f06bf..3e14b73dd71 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -168,7 +168,6 @@ CCE-86216-9
|
||||
CCE-86217-7
|
||||
CCE-86218-5
|
||||
CCE-86219-3
|
||||
-CCE-86220-1
|
||||
CCE-86221-9
|
||||
CCE-86222-7
|
||||
CCE-86223-5
|
||||
|
||||
From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 1 Aug 2022 17:53:32 +0200
|
||||
Subject: [PATCH 2/2] Better align with RHEL-08-040259
|
||||
|
||||
The item is about net.ipv4.conf.all.forwarding
|
||||
The update to V1R7 made brought this misalignment to light.
|
||||
---
|
||||
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 -
|
||||
products/rhel8/profiles/stig.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
|
||||
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
|
||||
4 files changed, 4 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||
index 5c449db7f3a..7acfc0b05b6 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||
@@ -45,7 +45,6 @@ references:
|
||||
stigid@ol7: OL07-00-040740
|
||||
stigid@ol8: OL08-00-040260
|
||||
stigid@rhel7: RHEL-07-040740
|
||||
- stigid@rhel8: RHEL-08-040259
|
||||
stigid@sle12: SLES-12-030430
|
||||
stigid@sle15: SLES-15-040380
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 4b480bd2c11..6b44436a2b1 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -1127,7 +1127,7 @@ selections:
|
||||
- sysctl_net_ipv6_conf_default_accept_source_route
|
||||
|
||||
# RHEL-08-040259
|
||||
- - sysctl_net_ipv4_ip_forward
|
||||
+ - sysctl_net_ipv4_conf_all_forwarding
|
||||
|
||||
# RHEL-08-040260
|
||||
- sysctl_net_ipv6_conf_all_forwarding
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 4bee72830d0..47f53a9d023 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -1,7 +1,7 @@
|
||||
title: DISA STIG for Red Hat Enterprise Linux 8
|
||||
description: 'This profile contains configuration checks that align to the
|
||||
|
||||
- DISA STIG for Red Hat Enterprise Linux 8 V1R7
|
||||
+ DISA STIG for Red Hat Enterprise Linux 8 V1R7.
|
||||
|
||||
|
||||
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|
||||
@@ -395,13 +395,13 @@ selections:
|
||||
- sysctl_net_core_bpf_jit_harden
|
||||
- sysctl_net_ipv4_conf_all_accept_redirects
|
||||
- sysctl_net_ipv4_conf_all_accept_source_route
|
||||
+- sysctl_net_ipv4_conf_all_forwarding
|
||||
- sysctl_net_ipv4_conf_all_rp_filter
|
||||
- sysctl_net_ipv4_conf_all_send_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_source_route
|
||||
- sysctl_net_ipv4_conf_default_send_redirects
|
||||
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||||
-- sysctl_net_ipv4_ip_forward
|
||||
- sysctl_net_ipv6_conf_all_accept_ra
|
||||
- sysctl_net_ipv6_conf_all_accept_redirects
|
||||
- sysctl_net_ipv6_conf_all_accept_source_route
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index ece32d06a6f..c4e60ddcde5 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -405,13 +405,13 @@ selections:
|
||||
- sysctl_net_core_bpf_jit_harden
|
||||
- sysctl_net_ipv4_conf_all_accept_redirects
|
||||
- sysctl_net_ipv4_conf_all_accept_source_route
|
||||
+- sysctl_net_ipv4_conf_all_forwarding
|
||||
- sysctl_net_ipv4_conf_all_rp_filter
|
||||
- sysctl_net_ipv4_conf_all_send_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_source_route
|
||||
- sysctl_net_ipv4_conf_default_send_redirects
|
||||
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||||
-- sysctl_net_ipv4_ip_forward
|
||||
- sysctl_net_ipv6_conf_all_accept_ra
|
||||
- sysctl_net_ipv6_conf_all_accept_redirects
|
||||
- sysctl_net_ipv6_conf_all_accept_source_route
|
@ -1,89 +0,0 @@
|
||||
From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 9 Aug 2022 17:28:33 +0200
|
||||
Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG
|
||||
profile.
|
||||
|
||||
---
|
||||
.../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 1 +
|
||||
.../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 +
|
||||
products/rhel8/profiles/stig.profile | 14 +++++++-------
|
||||
tests/data/profile_stability/rhel8/stig.profile | 2 ++
|
||||
.../data/profile_stability/rhel8/stig_gui.profile | 2 ++
|
||||
5 files changed, 13 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
index 46ea0558a42..1e9c6172758 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
@@ -57,6 +57,7 @@ references:
|
||||
stigid@ol7: OL07-00-040320
|
||||
stigid@ol8: OL08-00-010201
|
||||
stigid@rhel7: RHEL-07-040320
|
||||
+ stigid@rhel8: RHEL-08-010201
|
||||
stigid@sle12: SLES-12-030190
|
||||
stigid@sle15: SLES-15-010280
|
||||
stigid@ubuntu2004: UBTU-20-010037
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
index 0f0693ddc6c..f6e98a61d9a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
@@ -53,6 +53,7 @@ references:
|
||||
stigid@ol7: OL07-00-040340
|
||||
stigid@ol8: OL08-00-010200
|
||||
stigid@rhel7: RHEL-07-040340
|
||||
+ stigid@rhel8: RHEL-08-010200
|
||||
stigid@sle12: SLES-12-030191
|
||||
stigid@sle15: SLES-15-010320
|
||||
vmmsrg: SRG-OS-000480-VMM-002000
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 6b44436a2b1..124b7520d3a 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -170,13 +170,13 @@ selections:
|
||||
# RHEL-08-010190
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
|
||||
- # These two items don't behave as they used to in RHEL8.6 and RHEL9
|
||||
- # anymore. They will be disabled for now until an alternative
|
||||
- # solution is found.
|
||||
- # # RHEL-08-010200
|
||||
- # - sshd_set_keepalive_0
|
||||
- # # RHEL-08-010201
|
||||
- # - sshd_set_idle_timeout
|
||||
+ # Although these rules have a different behavior in RHEL>=8.6
|
||||
+ # they still need to be selected so it follows exactly what STIG
|
||||
+ # states.
|
||||
+ # RHEL-08-010200
|
||||
+ - sshd_set_keepalive_0
|
||||
+ # RHEL-08-010201
|
||||
+ - sshd_set_idle_timeout
|
||||
|
||||
# RHEL-08-010210
|
||||
- file_permissions_var_log_messages
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 47f53a9d023..6c75d0ae1b1 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -369,6 +369,8 @@ selections:
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
+- sshd_set_idle_timeout
|
||||
+- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index c4e60ddcde5..8a7a469b940 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -379,6 +379,8 @@ selections:
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
+- sshd_set_idle_timeout
|
||||
+- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
@ -1,113 +0,0 @@
|
||||
From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Aug 2022 15:57:52 +0200
|
||||
Subject: [PATCH 1/2] Accept sudoers files without includes as compliant
|
||||
|
||||
Update rule sudoers_default_includedir to accept as compliant sudoers
|
||||
files that don't have any #include or #includedir directive
|
||||
---
|
||||
.../oval/shared.xml | 24 +++++++++++++++----
|
||||
.../sudo/sudoers_default_includedir/rule.yml | 8 ++++---
|
||||
...cludedir.fail.sh => no_includedir.pass.sh} | 2 +-
|
||||
3 files changed, 26 insertions(+), 8 deletions(-)
|
||||
rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
index 59cab0b89de..629fbe8c6d2 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
@@ -1,10 +1,16 @@
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
{{{ oval_metadata("Check if sudo includes only the default includedir") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||
+ <criteria operator="OR">
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
|
||||
+ <criterion comment="Check /etc/sudoers doesn't have any #includedir" test_ref="test_sudoers_without_includedir" />
|
||||
+ </criteria>
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
+ <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||
+ <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||
+ </criteria>
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
@@ -32,6 +38,16 @@
|
||||
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="audit augenrules rmmod" id="test_sudoers_without_includedir" version="1">
|
||||
+ <ind:object object_ref="object_sudoers_without_includedir" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_sudoers_without_includedir" version="1">
|
||||
+ <ind:filepath>/etc/sudoers</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^#includedir[\s]+.*$</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
<ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
|
||||
<ind:object object_ref="object_sudoersd_without_includes" />
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
index aa2aaee19f8..83bfb0183bd 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
@@ -8,9 +8,11 @@ description: |-
|
||||
Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
|
||||
other directories and configuration files from the file currently being parsed.
|
||||
|
||||
- Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
|
||||
- The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
|
||||
- <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
|
||||
+ Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>,
|
||||
+ or that no drop-in file is included.
|
||||
+ Either the <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
|
||||
+ <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories;
|
||||
+ Or the <tt>/etc/sudoers</tt> should not contain any <tt>#include</tt> or <tt>#includedir</tt> directives.
|
||||
Note that the '#' character doesn't denote a comment in the configuration file.
|
||||
|
||||
rationale: |-
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||
similarity index 51%
|
||||
rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||
rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||
index 1e0ab8aea92..fe73cb25076 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
#!/bin/bash
|
||||
# platform = multi_platform_all
|
||||
|
||||
-sed -i "/#includedir.*/d" /etc/sudoers
|
||||
+sed -i "/#include(dir)?.*/d" /etc/sudoers
|
||||
|
||||
From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 12:01:12 +0200
|
||||
Subject: [PATCH 2/2] Improve definition's comments
|
||||
|
||||
---
|
||||
.../software/sudo/sudoers_default_includedir/oval/shared.xml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
index 629fbe8c6d2..82095acc6ed 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
@@ -8,8 +8,8 @@
|
||||
</criteria>
|
||||
<criteria operator="AND">
|
||||
<criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
|
||||
+ <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />
|
||||
</criteria>
|
||||
</criteria>
|
||||
</definition>
|
@ -1,358 +0,0 @@
|
||||
From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 09:57:33 +0200
|
||||
Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values
|
||||
|
||||
This also removes value '0' from the list of possible configurations.
|
||||
This change aligns the rule better with STIG.
|
||||
---
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 4 ++++
|
||||
.../tests/value_1.pass.sh | 10 ++++++++++
|
||||
.../tests/value_2.pass.sh | 10 ++++++++++
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter_value.var | 2 +-
|
||||
4 files changed, 25 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
index 496a8491f32..697f79fa872 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
@@ -59,4 +59,8 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: net.ipv4.conf.all.rp_filter
|
||||
+ sysctlval:
|
||||
+ - '1'
|
||||
+ - '2'
|
||||
+ wrong_sysctlval_for_testing: "0"
|
||||
datatype: int
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..516bfaf1369
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
|
||||
+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w net.ipv4.conf.all.rp_filter="1"
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ef1b8da0479
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
|
||||
+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w net.ipv4.conf.all.rp_filter="2"
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||
index e3fc78e3f05..1eae854f6b0 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||
@@ -17,5 +17,5 @@ interactive: false
|
||||
|
||||
options:
|
||||
default: 1
|
||||
- disabled: "0"
|
||||
enabled: 1
|
||||
+ loose: 2
|
||||
|
||||
From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 10:53:40 +0200
|
||||
Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values
|
||||
|
||||
This also removes value '0' from the list of possible configurations.
|
||||
This change aligns the rule better with STIG.
|
||||
---
|
||||
.../sysctl_kernel_kptr_restrict/rule.yml | 4 ++++
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 10 ++++++++++
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 10 ++++++++++
|
||||
.../sysctl_kernel_kptr_restrict_value.var | 1 -
|
||||
4 files changed, 24 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
index 1984b3c8691..5706eee0a0a 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
@@ -42,6 +42,10 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: kernel.kptr_restrict
|
||||
+ sysctlval:
|
||||
+ - '1'
|
||||
+ - '2'
|
||||
+ wrong_sysctlval_for_testing: "0"
|
||||
datatype: int
|
||||
|
||||
fixtext: |-
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..e6efae48b25
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
|
||||
+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.kptr_restrict="1"
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..be3f2b743ef
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
|
||||
+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.kptr_restrict="2"
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||
index 452328e3efd..268550de53d 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||
@@ -12,6 +12,5 @@ interactive: false
|
||||
|
||||
options:
|
||||
default: 1
|
||||
- 0: 0
|
||||
1: 1
|
||||
2: 2
|
||||
|
||||
From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 11:08:34 +0200
|
||||
Subject: [PATCH 3/5] Remove variable selector that will result in error
|
||||
|
||||
The rule only accepts values 1 or 2 as compliant, the XCCDF Variable
|
||||
cannot have the value 0, it will never result in pass.
|
||||
---
|
||||
.../sysctl_kernel_unprivileged_bpf_disabled_value.var | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||
index b8bf965a255..cbfd9bafa91 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||
@@ -13,6 +13,5 @@ interactive: false
|
||||
|
||||
options:
|
||||
default: 2
|
||||
- 0: "0"
|
||||
1: "1"
|
||||
2: "2"
|
||||
|
||||
From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 11:33:03 +0200
|
||||
Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol
|
||||
|
||||
For now, the only STIGs I see that adopted this change were RHEL's and
|
||||
OL's.
|
||||
---
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 2 ++
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh | 1 +
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh | 1 +
|
||||
.../sysctl_kernel_kptr_restrict/rule.yml | 2 ++
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 1 +
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 1 +
|
||||
6 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
index 697f79fa872..f04ae37c13d 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
@@ -59,8 +59,10 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: net.ipv4.conf.all.rp_filter
|
||||
+ {{% if 'ol' in product or 'rhel' in product %}}
|
||||
sysctlval:
|
||||
- '1'
|
||||
- '2'
|
||||
wrong_sysctlval_for_testing: "0"
|
||||
+ {{% endif %}}
|
||||
datatype: int
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
index 516bfaf1369..583b70a3b97 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
index ef1b8da0479..ef545976dc6 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
index 5706eee0a0a..f53e035effa 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
@@ -42,10 +42,12 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: kernel.kptr_restrict
|
||||
+ {{% if 'ol' in product or 'rhel' in product %}}
|
||||
sysctlval:
|
||||
- '1'
|
||||
- '2'
|
||||
wrong_sysctlval_for_testing: "0"
|
||||
+ {{% endif %}}
|
||||
datatype: int
|
||||
|
||||
fixtext: |-
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
index e6efae48b25..70189666c16 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
index be3f2b743ef..209395fa9a1 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
|
||||
From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 14:01:40 +0200
|
||||
Subject: [PATCH 5/5] Update OCIL check along with the rule
|
||||
|
||||
The OCIL should should mention both compliant values.
|
||||
---
|
||||
.../rule.yml | 29 +++++++++++++++++--
|
||||
.../sysctl_kernel_kptr_restrict/rule.yml | 29 ++++++++++++++++++-
|
||||
2 files changed, 55 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
index f04ae37c13d..4d31c6c3ebd 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
@@ -47,11 +47,36 @@ references:
|
||||
stigid@rhel7: RHEL-07-040611
|
||||
stigid@rhel8: RHEL-08-040285
|
||||
|
||||
-{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}}
|
||||
+ocil: |-
|
||||
+ The runtime status of the <code>net.ipv4.conf.all.rp_filter</code> parameter can be queried
|
||||
+ by running the following command:
|
||||
+ <pre>$ sysctl net.ipv4.conf.all.rp_filter</pre>
|
||||
+ The output of the command should indicate either:
|
||||
+ <code>net.ipv4.conf.all.rp_filter = 1</code>
|
||||
+ or:
|
||||
+ <code>net.ipv4.conf.all.rp_filter = 2</code>
|
||||
+ The output of the command should not indicate:
|
||||
+ <code>net.ipv4.conf.all.rp_filter = 0</code>
|
||||
+
|
||||
+ The preferable way how to assure the runtime compliance is to have
|
||||
+ correct persistent configuration, and rebooting the system.
|
||||
+
|
||||
+ The persistent sysctl parameter configuration is performed by specifying the appropriate
|
||||
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
|
||||
+ Verify that there is not any existing incorrect configuration by executing the following command:
|
||||
+ <pre>$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
|
||||
+ The command should not find any assignments other than:
|
||||
+ net.ipv4.conf.all.rp_filter = 1
|
||||
+ or:
|
||||
+ net.ipv4.conf.all.rp_filter = 2
|
||||
+
|
||||
+ Conflicting assignments are not allowed.
|
||||
+
|
||||
+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0"
|
||||
|
||||
fixtext: |-
|
||||
Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces.
|
||||
- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}}
|
||||
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}}
|
||||
|
||||
srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
index f53e035effa..367934b5672 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
@@ -34,6 +34,33 @@ references:
|
||||
|
||||
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
|
||||
|
||||
+ocil: |-
|
||||
+ The runtime status of the <code>kernel.kptr_restrict</code> kernel parameter can be queried
|
||||
+ by running the following command:
|
||||
+ <pre>$ sysctl kernel.kptr_restrict</pre>
|
||||
+ The output of the command should indicate either:
|
||||
+ <code>kernel.kptr_restrict = 1</code>
|
||||
+ or:
|
||||
+ <code>kernel.kptr_restrict = 2</code>
|
||||
+ The output of the command should not indicate:
|
||||
+ <code>kernel.kptr_restrict = 0</code>
|
||||
+
|
||||
+ The preferable way how to assure the runtime compliance is to have
|
||||
+ correct persistent configuration, and rebooting the system.
|
||||
+
|
||||
+ The persistent kernel parameter configuration is performed by specifying the appropriate
|
||||
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
|
||||
+ Verify that there is not any existing incorrect configuration by executing the following command:
|
||||
+ <pre>$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
|
||||
+ The command should not find any assignments other than:
|
||||
+ kernel.kptr_restrict = 1
|
||||
+ or:
|
||||
+ kernel.kptr_restrict = 2
|
||||
+
|
||||
+ Conflicting assignments are not allowed.
|
||||
+
|
||||
+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0"
|
||||
+
|
||||
srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'
|
||||
|
||||
platform: machine
|
||||
@@ -52,4 +79,4 @@ template:
|
||||
|
||||
fixtext: |-
|
||||
Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access.
|
||||
- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}}
|
||||
+ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}}
|
File diff suppressed because it is too large
Load Diff
@ -1,92 +0,0 @@
|
||||
From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 8 Aug 2022 14:34:34 +0200
|
||||
Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about
|
||||
configuring queues
|
||||
|
||||
---
|
||||
.../rsyslog_remote_loghost/rule.yml | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
index 4ce56d2e6a5..c73d9ec95a6 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
@@ -90,3 +90,20 @@ fixtext: |-
|
||||
*.* @@[remoteloggingserver]:[port]"
|
||||
|
||||
srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.'
|
||||
+
|
||||
+warnings:
|
||||
+ - functionality: |-
|
||||
+ It is important to configure queues in case the client is sending log
|
||||
+ messages to a remote server. If queues are not configured, there is a
|
||||
+ danger that the system will stop functioning in case that the connection
|
||||
+ to the remote server is not available. Please consult Rsyslog
|
||||
+ documentation for more information about configuration of queues. The
|
||||
+ example configuration which should go into <tt>/etc/rsyslog.conf</tt>
|
||||
+ can look like the following lines:
|
||||
+ <pre>
|
||||
+ $ActionQueueType LinkedList
|
||||
+ $ActionQueueFileName somenameforprefix
|
||||
+ $ActionQueueMaxDiskSpace 1g
|
||||
+ $ActionQueueSaveOnShutdown on
|
||||
+ $ActionResumeRetryCount -1
|
||||
+ </pre>
|
||||
|
||||
From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Tue, 9 Aug 2022 09:41:00 +0200
|
||||
Subject: [PATCH 2/3] Apply suggestions from code review
|
||||
|
||||
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
|
||||
---
|
||||
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
index c73d9ec95a6..706d3265a08 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
@@ -95,14 +95,14 @@ warnings:
|
||||
- functionality: |-
|
||||
It is important to configure queues in case the client is sending log
|
||||
messages to a remote server. If queues are not configured, there is a
|
||||
- danger that the system will stop functioning in case that the connection
|
||||
+ the system will stop functioning when the connection
|
||||
to the remote server is not available. Please consult Rsyslog
|
||||
documentation for more information about configuration of queues. The
|
||||
example configuration which should go into <tt>/etc/rsyslog.conf</tt>
|
||||
can look like the following lines:
|
||||
<pre>
|
||||
$ActionQueueType LinkedList
|
||||
- $ActionQueueFileName somenameforprefix
|
||||
+ $ActionQueueFileName queuefilename
|
||||
$ActionQueueMaxDiskSpace 1g
|
||||
$ActionQueueSaveOnShutdown on
|
||||
$ActionResumeRetryCount -1
|
||||
|
||||
From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Tue, 9 Aug 2022 10:55:04 +0200
|
||||
Subject: [PATCH 3/3] Update
|
||||
linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
|
||||
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
|
||||
---
|
||||
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
index 706d3265a08..cce4d5cac1d 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
|
||||
warnings:
|
||||
- functionality: |-
|
||||
It is important to configure queues in case the client is sending log
|
||||
- messages to a remote server. If queues are not configured, there is a
|
||||
+ messages to a remote server. If queues are not configured,
|
||||
the system will stop functioning when the connection
|
||||
to the remote server is not available. Please consult Rsyslog
|
||||
documentation for more information about configuration of queues. The
|
@ -0,0 +1,106 @@
|
||||
From 5e28d4aa823560545e6b49d58e55aecb572f6bd9 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 7 Feb 2023 10:53:18 +0100
|
||||
Subject: [PATCH 4/5] Change custom zones check in firewalld_sshd_port_enabled
|
||||
|
||||
Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
|
||||
Patch-status: Change custom zones check in firewalld_sshd_port_enabled
|
||||
---
|
||||
.../oval/shared.xml | 68 +++++++++++++++----
|
||||
1 file changed, 54 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
||||
index 4adef2e53f..d7c96665b4 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
||||
@@ -133,9 +133,10 @@
|
||||
OVAL resources in order to detect and assess only active zone, which are zones with at
|
||||
least one NIC assigned to it. Since it was possible to easily have the list of active
|
||||
zones, it was cumbersome to use that list in other OVAL objects without introduce a high
|
||||
- level of complexity to make sure environments with multiple NICs and multiple zones are
|
||||
- in use. So, in favor of simplicity and readbility it was decided to work with a static
|
||||
- list. It means that, in the future, it is possible this list needs to be updated. -->
|
||||
+ level of complexity to ensure proper assessment in environments where multiple NICs and
|
||||
+ multiple zones are in use. So, in favor of simplicity and readbility it was decided to
|
||||
+ work with a static list. It means that, in the future, it is possible this list needs to
|
||||
+ be updated. -->
|
||||
<local_variable id="var_firewalld_sshd_port_enabled_default_zones" version="1"
|
||||
datatype="string"
|
||||
comment="Regex containing the list of zones files delivered in the firewalld package">
|
||||
@@ -145,23 +146,62 @@
|
||||
<!-- If any default zone is modified by the administrator, the respective zone file is placed
|
||||
in the /etc/firewalld/zones dir in order to override the default zone settings. The same
|
||||
directory is applicable for new zones created by the administrator. Therefore, all files
|
||||
- in this directory should also allow SSH. -->
|
||||
- <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
|
||||
+ in this directory should also allow SSH.
|
||||
+ This test was updated in a reaction to https://github.com/OpenSCAP/openscap/issues/1923,
|
||||
+ which changed the behaviour of xmlfilecontent probe in OpenSCAP 1.3.7. Currently, a
|
||||
+ variable test is the simplest way to check if all custom zones are allowing ssh, but have
|
||||
+ an impact in transparency since the objects are not shown in reports. The transparency
|
||||
+ impact can be workarounded by using other OVAL objects, but this would impact in
|
||||
+ readability and would increase complexity. This solution is in favor of simplicity. -->
|
||||
+ <ind:variable_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
|
||||
check="all" check_existence="at_least_one_exists" version="1"
|
||||
comment="SSH service is defined in all zones created or modified by the administrator">
|
||||
- <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
|
||||
- <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>
|
||||
- </ind:xmlfilecontent_test>
|
||||
+ <ind:object
|
||||
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"/>
|
||||
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_custom_zone_files_count"/>
|
||||
+ </ind:variable_test>
|
||||
+
|
||||
+ <ind:variable_object id="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
|
||||
+ version="1">
|
||||
+ <ind:var_ref>var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count</ind:var_ref>
|
||||
+ </ind:variable_object>
|
||||
+
|
||||
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
|
||||
+ datatype="int" version="1"
|
||||
+ comment="Variable including number of custom zone files allowing ssh">
|
||||
+ <count>
|
||||
+ <object_component item_field="filepath"
|
||||
+ object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
|
||||
<ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
||||
- <ind:path>/etc/firewalld/zones</ind:path>
|
||||
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
||||
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
||||
+ <ind:path>/etc/firewalld/zones</ind:path>
|
||||
+ <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
||||
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
||||
</ind:xmlfilecontent_object>
|
||||
|
||||
- <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
||||
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
||||
- </ind:xmlfilecontent_state>
|
||||
+ <ind:variable_state id="state_firewalld_sshd_port_enabled_custom_zone_files_count"
|
||||
+ version="1">
|
||||
+ <ind:value datatype="int" operation="equals" var_check="at least one"
|
||||
+ var_ref="var_firewalld_sshd_port_enabled_custom_zone_files_count"/>
|
||||
+ </ind:variable_state>
|
||||
+
|
||||
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_count"
|
||||
+ datatype="int" version="1"
|
||||
+ comment="Variable including number of custom zone files present in /etc/firewalld/zones">
|
||||
+ <count>
|
||||
+ <object_component item_field="filepath"
|
||||
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files"/>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <unix:file_object id="object_firewalld_sshd_port_enabled_custom_zone_files" version="1">
|
||||
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
|
||||
+ recurse_file_system="local"/>
|
||||
+ <unix:path>/etc/firewalld/zones</unix:path>
|
||||
+ <unix:filename operation="pattern match">^.*\.xml$</unix:filename>
|
||||
+ </unix:file_object>
|
||||
|
||||
<!-- SSH service is configured as expected -->
|
||||
<!-- The firewalld package brings many services already defined out-of-box, including SSH.
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,122 @@
|
||||
From 8a0670168b1b8278bb943d8f48acbd728905deb7 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 8 Feb 2023 14:42:32 +0100
|
||||
Subject: [PATCH 5/5] Accept required and requisite control flag for
|
||||
pam_pwhistory
|
||||
|
||||
Patch-name: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
|
||||
Patch-status: Accept required and requisite control flag for pam_pwhistory
|
||||
---
|
||||
controls/cis_rhel8.yml | 2 +-
|
||||
controls/cis_rhel9.yml | 2 +-
|
||||
controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml | 2 +-
|
||||
.../rule.yml | 4 ++++
|
||||
.../var_password_pam_remember_control_flag.var | 1 +
|
||||
products/rhel8/profiles/stig.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/stig.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
|
||||
8 files changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
||||
index c0406f97b8..efc53d03fd 100644
|
||||
--- a/controls/cis_rhel8.yml
|
||||
+++ b/controls/cis_rhel8.yml
|
||||
@@ -2267,7 +2267,7 @@ controls:
|
||||
rules:
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_password_pam_remember=5
|
||||
|
||||
- id: 5.5.4
|
||||
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
|
||||
index 7299a39528..30f7e8d182 100644
|
||||
--- a/controls/cis_rhel9.yml
|
||||
+++ b/controls/cis_rhel9.yml
|
||||
@@ -2112,7 +2112,7 @@ controls:
|
||||
rules:
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_password_pam_remember=5
|
||||
|
||||
- id: 5.5.4
|
||||
diff --git a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
||||
index 1e8286a4a4..b02b7da419 100644
|
||||
--- a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
||||
+++ b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
||||
@@ -5,7 +5,7 @@ controls:
|
||||
title: {{{ full_name }}} must prohibit password reuse for a minimum of five generations.
|
||||
rules:
|
||||
- var_password_pam_remember=5
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
status: automated
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
index c549de2e96..d2b220ef9f 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
@@ -129,3 +129,7 @@ warnings:
|
||||
Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly
|
||||
enable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your
|
||||
system, an authselect custom profile must be used to avoid integrity issues in PAM files.
|
||||
+ If a custom profile was created and used in the system before this authselect feature was
|
||||
+ available, the new feature can't be used with this custom profile and the
|
||||
+ remediation will fail. In this case, the custom profile should be recreated or manually
|
||||
+ updated.
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
||||
index 8f01007550..1959936c04 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
||||
@@ -20,4 +20,5 @@ options:
|
||||
"sufficient": "sufficient"
|
||||
"binding": "binding"
|
||||
"ol8": "required,requisite"
|
||||
+ "requisite_or_required": "requisite,required"
|
||||
default: "requisite"
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 8c64868619..a3f7dc9720 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -37,7 +37,7 @@ selections:
|
||||
- var_accounts_minimum_age_login_defs=1
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- var_password_pam_remember=5
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- var_password_pam_unix_rounds=5000
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 6970a32b4f..5d694c6ae1 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -433,7 +433,7 @@ selections:
|
||||
- var_accounts_minimum_age_login_defs=1
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- var_password_pam_remember=5
|
||||
-- var_password_pam_remember_control_flag=requisite
|
||||
+- var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- var_password_pam_unix_rounds=5000
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 314f14e4f6..e165525b90 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -441,7 +441,7 @@ selections:
|
||||
- var_accounts_minimum_age_login_defs=1
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- var_password_pam_remember=5
|
||||
-- var_password_pam_remember_control_flag=requisite
|
||||
+- var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- var_password_pam_unix_rounds=5000
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,147 @@
|
||||
From 96ef6ed5f2e74b83c366c9704b37904731e526a1 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 13 Feb 2023 11:14:40 +0100
|
||||
Subject: [PATCH 6/6] remove rule logind_session_timeout and associated
|
||||
variable from profiles
|
||||
|
||||
Patch-name: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
|
||||
Patch-status: remove rule logind_session_timeout and associated variable from profiles
|
||||
---
|
||||
controls/anssi.yml | 2 --
|
||||
products/rhel8/profiles/cjis.profile | 2 --
|
||||
products/rhel8/profiles/ospp.profile | 2 --
|
||||
products/rhel8/profiles/pci-dss.profile | 2 --
|
||||
products/rhel8/profiles/rht-ccp.profile | 2 --
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 --
|
||||
tests/data/profile_stability/rhel8/pci-dss.profile | 2 --
|
||||
7 files changed, 14 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 607ce976ef..9e631d1de4 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -676,8 +676,6 @@ controls:
|
||||
- var_accounts_tmout=10_min
|
||||
- sshd_set_idle_timeout
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
- - logind_session_timeout
|
||||
- - var_logind_session_timeout=10_minutes
|
||||
- sshd_set_keepalive
|
||||
|
||||
- id: R30
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
|
||||
index f60b65bc06..18394802b9 100644
|
||||
--- a/products/rhel8/profiles/cjis.profile
|
||||
+++ b/products/rhel8/profiles/cjis.profile
|
||||
@@ -104,7 +104,6 @@ selections:
|
||||
- sshd_allow_only_protocol2
|
||||
- sshd_set_idle_timeout
|
||||
- var_sshd_set_keepalive=0
|
||||
- - logind_session_timeout
|
||||
- sshd_set_keepalive_0
|
||||
- disable_host_auth
|
||||
- sshd_disable_root_login
|
||||
@@ -120,7 +119,6 @@ selections:
|
||||
- set_firewalld_default_zone
|
||||
- firewalld_sshd_port_enabled
|
||||
- sshd_idle_timeout_value=30_minutes
|
||||
- - var_logind_session_timeout=30_minutes
|
||||
- inactivity_timeout_value=30_minutes
|
||||
- sysctl_net_ipv4_conf_default_accept_source_route
|
||||
- sysctl_net_ipv4_tcp_syncookies
|
||||
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||
index 0fe17b2085..fb46ab4c0c 100644
|
||||
--- a/products/rhel8/profiles/ospp.profile
|
||||
+++ b/products/rhel8/profiles/ospp.profile
|
||||
@@ -300,8 +300,6 @@ selections:
|
||||
## We deliberately set sshd timeout to 1 minute before tmux lock timeout
|
||||
- sshd_idle_timeout_value=14_minutes
|
||||
- sshd_set_idle_timeout
|
||||
- - logind_session_timeout
|
||||
- - var_logind_session_timeout=14_minutes
|
||||
|
||||
## Disable Unauthenticated Login (such as Guest Accounts)
|
||||
## FIA_UAU.1
|
||||
diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
|
||||
index c63c5f4a07..c0c9b12773 100644
|
||||
--- a/products/rhel8/profiles/pci-dss.profile
|
||||
+++ b/products/rhel8/profiles/pci-dss.profile
|
||||
@@ -17,7 +17,6 @@ selections:
|
||||
- var_accounts_passwords_pam_faillock_deny=6
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=1800
|
||||
- sshd_idle_timeout_value=15_minutes
|
||||
- - var_logind_session_timeout=15_minutes
|
||||
- var_password_pam_minlen=7
|
||||
- var_password_pam_minclass=2
|
||||
- var_accounts_maximum_age_login_defs=90
|
||||
@@ -110,7 +109,6 @@ selections:
|
||||
- dconf_gnome_screensaver_lock_enabled
|
||||
- dconf_gnome_screensaver_mode_blank
|
||||
- sshd_set_idle_timeout
|
||||
- - logind_session_timeout
|
||||
- var_sshd_set_keepalive=0
|
||||
- sshd_set_keepalive_0
|
||||
- accounts_password_pam_minlen
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
||||
index 0a00d2f46b..775727e885 100644
|
||||
--- a/products/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/products/rhel8/profiles/rht-ccp.profile
|
||||
@@ -12,7 +12,6 @@ selections:
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- sshd_idle_timeout_value=5_minutes
|
||||
- - var_logind_session_timeout=5_minutes
|
||||
- var_accounts_minimum_age_login_defs=7
|
||||
- var_accounts_passwords_pam_faillock_deny=5
|
||||
- var_accounts_password_warn_age_login_defs=7
|
||||
@@ -89,7 +88,6 @@ selections:
|
||||
- package_telnet_removed
|
||||
- sshd_allow_only_protocol2
|
||||
- sshd_set_idle_timeout
|
||||
- - logind_session_timeout
|
||||
- var_sshd_set_keepalive=0
|
||||
- sshd_set_keepalive_0
|
||||
- disable_host_auth
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index a31f3245d8..267b66a4f8 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -104,7 +104,6 @@ selections:
|
||||
- kernel_module_firewire-core_disabled
|
||||
- kernel_module_sctp_disabled
|
||||
- kernel_module_tipc_disabled
|
||||
-- logind_session_timeout
|
||||
- mount_option_boot_nodev
|
||||
- mount_option_boot_nosuid
|
||||
- mount_option_dev_shm_nodev
|
||||
@@ -254,7 +253,6 @@ selections:
|
||||
- var_password_pam_ucredit=1
|
||||
- var_password_pam_lcredit=1
|
||||
- sshd_idle_timeout_value=14_minutes
|
||||
-- var_logind_session_timeout=14_minutes
|
||||
- var_accounts_passwords_pam_faillock_deny=3
|
||||
- var_accounts_passwords_pam_faillock_fail_interval=900
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=never
|
||||
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
index 5c77ea6a85..902d0084fc 100644
|
||||
--- a/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
@@ -109,7 +109,6 @@ selections:
|
||||
- gid_passwd_group_same
|
||||
- grub2_audit_argument
|
||||
- install_hids
|
||||
-- logind_session_timeout
|
||||
- no_empty_passwords
|
||||
- package_aide_installed
|
||||
- package_audispd-plugins_installed
|
||||
@@ -137,7 +136,6 @@ selections:
|
||||
- var_accounts_passwords_pam_faillock_deny=6
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=1800
|
||||
- sshd_idle_timeout_value=15_minutes
|
||||
-- var_logind_session_timeout=15_minutes
|
||||
- var_password_pam_minlen=7
|
||||
- var_password_pam_minclass=2
|
||||
- var_accounts_maximum_age_login_defs=90
|
||||
--
|
||||
2.39.1
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -5,8 +5,8 @@
|
||||
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.63
|
||||
Release: 4%{?dist}
|
||||
Version: 0.1.66
|
||||
Release: 2%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
Group: Applications/System
|
||||
@ -14,28 +14,21 @@ URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Include tarball with last released rhel6 content
|
||||
Source1: %{_static_rhel6_content}.tar.bz2
|
||||
# Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
# Rsyslog files rules remediations
|
||||
Patch1: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch
|
||||
# Extends rsyslog_logfiles_attributes_modify template for permissions
|
||||
Patch2: scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch
|
||||
# Change custom zones check in firewalld_sshd_port_enabled
|
||||
Patch3: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
|
||||
# Accept required and requisite control flag for pam_pwhistory
|
||||
Patch4: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
|
||||
# remove rule logind_session_timeout and associated variable from profiles
|
||||
Patch5: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
Patch1: scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
|
||||
Patch2: scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
|
||||
Patch3: scap-security-guide-0.1.64-stig_aide-PR_9282.patch
|
||||
Patch4: scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
|
||||
Patch5: scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
|
||||
Patch6: scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
|
||||
Patch7: scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
|
||||
Patch8: scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
|
||||
Patch9: scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
|
||||
Patch10: scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
|
||||
Patch11: scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
|
||||
Patch12: scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
|
||||
Patch13: scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
|
||||
Patch14: scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
|
||||
Patch15: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
|
||||
Patch16: scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
BuildRequires: openscap-scanner >= 1.2.5
|
||||
@ -139,6 +132,21 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2
|
||||
- Unselect rule logind_session_timeout (RHBZ#2168079)
|
||||
|
||||
* Mon Feb 06 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
|
||||
- Rebase to a new upstream release 0.1.66 (RHBZ#2168079)
|
||||
- Update RHEL8 STIG profile to V1R9 (RHBZ#2168075)
|
||||
- Fix levels of CIS rules (RHBZ#2168072)
|
||||
- Remove unused RHEL8 STIG control file (RHBZ#2168069)
|
||||
- Fix handling of space in sudo_require_reauthentication (RHBZ#2168066)
|
||||
- Add rule for audit immutable login uids (RHBZ#2168063)
|
||||
- Fix remediation of audit watch rules (RHBZ#2168060)
|
||||
- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2168057)
|
||||
- Fix applicability of kerberos rules (RHBZ#2168054)
|
||||
- Add support rainer scripts in rsyslog rules (RHBZ#2168050)
|
||||
|
||||
* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
|
||||
- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user