import scap-security-guide-0.1.57-1.el8
This commit is contained in:
parent
9be20b0383
commit
b842fea880
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.56.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.57.tar.bz2
|
||||
|
@ -1,2 +1,2 @@
|
||||
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
68280f72027ec89fda4b861fda932110d833d0d1 SOURCES/scap-security-guide-0.1.56.tar.bz2
|
||||
d78bdc956df4301c3b3bbb2f9f24d809d7b1d08c SOURCES/scap-security-guide-0.1.57.tar.bz2
|
||||
|
@ -1,22 +1,7 @@
|
||||
From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 3 Dec 2020 14:35:47 +0100
|
||||
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
|
||||
|
||||
---
|
||||
rhel8/CMakeLists.txt | 6 ------
|
||||
rhel8/profiles/cjis.profile | 2 +-
|
||||
rhel8/profiles/ism_o.profile | 2 +-
|
||||
rhel8/profiles/rhelh-stig.profile | 2 +-
|
||||
rhel8/profiles/rhelh-vpp.profile | 2 +-
|
||||
rhel8/profiles/rht-ccp.profile | 2 +-
|
||||
rhel8/profiles/standard.profile | 2 +-
|
||||
11 files changed, 10 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
|
||||
index d61689c97..5e444a101 100644
|
||||
--- a/rhel8/CMakeLists.txt
|
||||
+++ b/rhel8/CMakeLists.txt
|
||||
--- a/products/rhel8/CMakeLists.txt
|
||||
+++ b/products/rhel8/CMakeLists.txt
|
||||
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
|
||||
ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
|
||||
ssg_build_html_table_by_ref(${PRODUCT} "anssi")
|
||||
@ -33,60 +18,30 @@ index d61689c97..5e444a101 100644
|
||||
ssg_build_html_cce_table(${PRODUCT})
|
||||
|
||||
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
|
||||
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
|
||||
index 035d2705b..c6475f33e 100644
|
||||
--- a/rhel8/profiles/cjis.profile
|
||||
+++ b/rhel8/profiles/cjis.profile
|
||||
--- a/products/rhel8/profiles/cjis.profile
|
||||
+++ b/products/rhel8/profiles/cjis.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
metadata:
|
||||
version: 5.4
|
||||
diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile
|
||||
index a3c427c01..4605dea3b 100644
|
||||
--- a/rhel8/profiles/ism_o.profile
|
||||
+++ b/rhel8/profiles/ism_o.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
metadata:
|
||||
SMEs:
|
||||
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
|
||||
index 1efca5f44..c3d0b0964 100644
|
||||
--- a/rhel8/profiles/rhelh-stig.profile
|
||||
+++ b/rhel8/profiles/rhelh-stig.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
|
||||
|
||||
diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile
|
||||
index 2baee6d66..8592d7aaf 100644
|
||||
--- a/rhel8/profiles/rhelh-vpp.profile
|
||||
+++ b/rhel8/profiles/rhelh-vpp.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
|
||||
|
||||
diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
|
||||
index c84579592..164ec98c4 100644
|
||||
--- a/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/rhel8/profiles/rht-ccp.profile
|
||||
--- a/products/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/products/rhel8/profiles/rht-ccp.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
|
||||
|
||||
diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
|
||||
diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
|
||||
index a63ae2cf3..da669bb84 100644
|
||||
--- a/rhel8/profiles/standard.profile
|
||||
+++ b/rhel8/profiles/standard.profile
|
||||
--- a/products/rhel8/profiles/standard.profile
|
||||
+++ b/products/rhel8/profiles/standard.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
@ -1,115 +0,0 @@
|
||||
From d97cd9112ba9f3958e6658775a8a31e44bd0f0e9 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 5 Jan 2021 18:03:24 +0100
|
||||
Subject: [PATCH] Add rule sudo_add_passwd_timeout
|
||||
|
||||
This rule configures sudo password prompt timeout.
|
||||
---
|
||||
controls/anssi.yml | 3 +-
|
||||
.../sudo/sudo_add_passwd_timeout/rule.yml | 40 +++++++++++++++++++
|
||||
.../software/sudo/var_sudo_passwd_timeout.var | 21 ++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 2 -
|
||||
4 files changed, 63 insertions(+), 3 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
|
||||
create mode 100644 linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 705f8e25aab..5120456230b 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -892,7 +892,8 @@ controls:
|
||||
- var_sudo_umask=0027
|
||||
- sudo_add_ignore_dot
|
||||
- sudo_add_env_reset
|
||||
- # passwd_timeout=1
|
||||
+ - sudo_add_passwd_timeout
|
||||
+ - var_sudo_passwd_timeout=1_minute
|
||||
|
||||
- id: R59
|
||||
level: minimal
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..ae3399527f4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
|
||||
@@ -0,0 +1,40 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: ol7,ol8,rhel7,rhel8
|
||||
+
|
||||
+title: 'Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout'
|
||||
+
|
||||
+description: |-
|
||||
+ The sudo <tt>passwd_timeout</tt> tag sets the amount of time sudo password prompt waits.
|
||||
+{{%- if product in ["rhel7", "rhel8"] %}}
|
||||
+ On {{{ full_name }}}, the default <tt>passwd_timeout</tt> value is 5 minutes.
|
||||
+{{% endif %}}
|
||||
+ The passwd_timeout should be configured by making sure that the
|
||||
+ <tt>passwd_timeout=sub_var_value("var_sudo_passwd_timeout")</tt> tag exists in
|
||||
+ <tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
|
||||
+ in <tt>/etc/sudoers.d/</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Reducing the time <tt>sudo</tt> waits for a a password reduces the time the process is exposed.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83963-9
|
||||
+ cce@rhel8: CCE-83964-7
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R58)
|
||||
+
|
||||
+ocil_clause: 'passwd_timeout is not set with the appropriate value for sudo'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To determine if <tt>passwd_timeout</tt> has been configured for sudo, run the following command:
|
||||
+ <pre>$ sudo grep -ri '^Defaults.*passwd_timeout=sub_var_value("var_sudo_passwd_timeout")' /etc/sudoers /etc/sudoers.d/</pre>
|
||||
+ The command should return a matching output.
|
||||
+
|
||||
+template:
|
||||
+ name: sudo_defaults_option
|
||||
+ vars:
|
||||
+ option: passwd_timeout
|
||||
+ variable_name: "var_sudo_passwd_timeout"
|
||||
diff --git a/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
|
||||
new file mode 100644
|
||||
index 00000000000..4a9dcd5bb7b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
|
||||
@@ -0,0 +1,21 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Sudo - passwd_timeout value'
|
||||
+
|
||||
+description: |-
|
||||
+ Defines the number of minutes before the <tt>sudo</tt> password prompt times out.
|
||||
+ Defining 0 means no timeout. The default timeout value is 5 minutes.
|
||||
+
|
||||
+interactive: false
|
||||
+
|
||||
+type: string
|
||||
+
|
||||
+operator: equals
|
||||
+
|
||||
+options:
|
||||
+ default: "5"
|
||||
+ infinite: "0"
|
||||
+ 1_minute: "1"
|
||||
+ 2_minutes: "2"
|
||||
+ 3_minutes: "3"
|
||||
+ 5_minutes: "5"
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 61391f50c2d..e095e405f66 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -349,8 +349,6 @@ CCE-83959-7
|
||||
CCE-83960-5
|
||||
CCE-83961-3
|
||||
CCE-83962-1
|
||||
-CCE-83963-9
|
||||
-CCE-83964-7
|
||||
CCE-83965-4
|
||||
CCE-83966-2
|
||||
CCE-83967-0
|
@ -1,76 +0,0 @@
|
||||
commit c58a2b0af3c8094446df1850cb1c943d51b2ec5f
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue Jun 8 13:40:28 2021 +0200
|
||||
|
||||
Add option to enable installation of individual ansible playbooks per rule.
|
||||
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||
index 6995944..bd317c0 100644
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -46,6 +46,7 @@ option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck vali
|
||||
option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
|
||||
option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE)
|
||||
option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
|
||||
+option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE)
|
||||
option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
|
||||
option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
|
||||
set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
|
||||
@@ -231,6 +232,7 @@ message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENA
|
||||
message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}")
|
||||
message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}")
|
||||
message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
|
||||
+message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}")
|
||||
if (SSG_JINJA2_CACHE_ENABLED)
|
||||
message(STATUS "jinja2 cache: enabled")
|
||||
message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}")
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index b487a0b..b7db7fd 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -746,8 +746,12 @@ macro(ssg_build_product PRODUCT)
|
||||
ssg_build_xccdf_unlinked(${PRODUCT})
|
||||
ssg_build_ocil_unlinked(${PRODUCT})
|
||||
ssg_build_remediations(${PRODUCT})
|
||||
- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
|
||||
+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
|
||||
ssg_build_ansible_playbooks(${PRODUCT})
|
||||
+ add_dependencies(
|
||||
+ ${PRODUCT}-content
|
||||
+ generate-${PRODUCT}-ansible-playbooks
|
||||
+ )
|
||||
endif()
|
||||
ssg_build_xccdf_with_remediations(${PRODUCT})
|
||||
ssg_build_oval_unlinked(${PRODUCT})
|
||||
@@ -778,10 +782,6 @@ macro(ssg_build_product PRODUCT)
|
||||
add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml")
|
||||
|
||||
if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
|
||||
- add_dependencies(
|
||||
- ${PRODUCT}-content
|
||||
- generate-${PRODUCT}-ansible-playbooks
|
||||
- )
|
||||
ssg_build_profile_playbooks(${PRODUCT})
|
||||
add_custom_target(
|
||||
${PRODUCT}-profile-playbooks
|
||||
@@ -885,6 +885,20 @@ macro(ssg_build_product PRODUCT)
|
||||
endif()
|
||||
"
|
||||
)
|
||||
+ if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
|
||||
+ install(
|
||||
+ CODE "
|
||||
+ file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*\") \n
|
||||
+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks)
|
||||
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
|
||||
+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
|
||||
+ else()
|
||||
+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
|
||||
+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
|
||||
+ endif()
|
||||
+ "
|
||||
+ )
|
||||
+ endif()
|
||||
|
||||
# grab all the kickstarts (if any) and install them
|
||||
file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg")
|
@ -1,120 +0,0 @@
|
||||
From 82c99e8de8f2ffef7d340fd7c1d9088367650eb5 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 10 May 2021 18:53:02 +0200
|
||||
Subject: [PATCH] Update and select seboolean rules for R67
|
||||
|
||||
Fix description of sebool_deny_execmem, and warning about possible
|
||||
issues.
|
||||
Add rationale to rules the SELinux booleans.
|
||||
---
|
||||
controls/anssi.yml | 14 +++++++++---
|
||||
.../sebool_deny_execmem/rule.yml | 22 ++++++++++++++-----
|
||||
.../sebool_selinuxuser_execheap/rule.yml | 4 +++-
|
||||
.../sebool_selinuxuser_execstack/rule.yml | 3 ++-
|
||||
4 files changed, 33 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 705f8e25aab..ef9356a6fea 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -967,10 +967,18 @@ controls:
|
||||
allow_execstack to off, forbids processes to make their stack executable;
|
||||
secure_mode_insmod to on, prohibits dynamic loading of modules by any process;
|
||||
ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role.
|
||||
+ notes:
|
||||
+ In RHEL, the SELinux boolean allow_execheap is renamed to selinuxuser_execheap, and the
|
||||
+ boolean allow_execstack is renamed to selinuxuser_execstack. And allow_execmem is not
|
||||
+ available, deny_execmem provides the same functionality.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- # Add rule for sebool allow_execheap
|
||||
- # Add rule for sebool allow_execmem
|
||||
- # Add rule for sebool allow_execstack
|
||||
+ - var_selinuxuser_execheap=off
|
||||
+ - sebool_selinuxuser_execheap
|
||||
+ - var_deny_execmem=on
|
||||
+ - sebool_deny_execmem
|
||||
+ - var_selinuxuser_execstack=off
|
||||
+ - sebool_selinuxuser_execstack
|
||||
- var_secure_mode_insmod=on
|
||||
- sebool_secure_mode_insmod
|
||||
- sebool_ssh_sysadm_login
|
||||
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
|
||||
index f340ea4be11..e8453fbfb8d 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
|
||||
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
|
||||
@@ -2,14 +2,16 @@ documentation_complete: true
|
||||
|
||||
prodtype: rhel7,rhel8,rhel9,rhv4
|
||||
|
||||
-title: 'Disable the deny_execmem SELinux Boolean'
|
||||
+title: 'Enable the deny_execmem SELinux Boolean'
|
||||
|
||||
description: |-
|
||||
By default, the SELinux boolean <tt>deny_execmem</tt> is disabled.
|
||||
- If this setting is enabled, it should be disabled.
|
||||
+ If this setting is disabled, it should be enabled.
|
||||
{{{ describe_sebool_disable(sebool="deny_execmem") }}}
|
||||
|
||||
-rationale: ""
|
||||
+rationale: |-
|
||||
+ Allowing user domain applications to map a memory region as both writable and
|
||||
+ executable makes them more susceptible to data execution attacks.
|
||||
|
||||
severity: medium
|
||||
|
||||
@@ -19,10 +21,20 @@ identifiers:
|
||||
|
||||
references:
|
||||
anssi: BP28(R67)
|
||||
-
|
||||
-{{{ complete_ocil_entry_sebool_disabled(sebool="deny_execmem") }}}
|
||||
+
|
||||
+{{{ complete_ocil_entry_sebool_enabled(sebool="deny_execmem") }}}
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ This rule doesn't come with a remediation, as enabling this SELinux boolean can cause
|
||||
+ applications to malfunction, for example Graphical login managers and Firefox.
|
||||
+ - functionality: |-
|
||||
+ Proper function and stability should be assessed before applying enabling the SELinux boolean in production systems.
|
||||
|
||||
template:
|
||||
name: sebool
|
||||
vars:
|
||||
seboolid: deny_execmem
|
||||
+ backends:
|
||||
+ bash: "off"
|
||||
+ ansible: "off"
|
||||
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
|
||||
index 45aa81a1223..7fedaab6130 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
|
||||
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
|
||||
@@ -6,10 +6,12 @@ title: 'Disable the selinuxuser_execheap SELinux Boolean'
|
||||
|
||||
description: |-
|
||||
By default, the SELinux boolean <tt>selinuxuser_execheap</tt> is disabled.
|
||||
+ When enabled this boolean is enabled it allows selinuxusers to execute code from the heap.
|
||||
If this setting is enabled, it should be disabled.
|
||||
{{{ describe_sebool_disable(sebool="selinuxuser_execheap") }}}
|
||||
|
||||
-rationale: ""
|
||||
+rationale: |-
|
||||
+ Disabling code execution from the heap blocks buffer overflow attacks.
|
||||
|
||||
severity: medium
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
|
||||
index 2b20d0bfe4f..2e0b19f881d 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
|
||||
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
|
||||
@@ -10,7 +10,8 @@ description: |-
|
||||
to make their stack executable.
|
||||
{{{ describe_sebool_disable(sebool="selinuxuser_execstack") }}}
|
||||
|
||||
-rationale: ""
|
||||
+rationale: |-
|
||||
+ Disabling code execution from the stack blocks buffer overflow attacks.
|
||||
|
||||
severity: medium
|
||||
|
@ -1,707 +0,0 @@
|
||||
From 6006e997000ab19aa59df24b074feb285ec4e586 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 11 May 2021 17:14:24 +0200
|
||||
Subject: [PATCH 1/6] Update ANSSI metadata for High level hardening
|
||||
|
||||
---
|
||||
controls/anssi.yml | 15 +++++++++++----
|
||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 2053de05c0..e9b9f1b803 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -70,6 +70,10 @@ controls:
|
||||
It is recommended to use the mandatory access control (MAC) features in
|
||||
addition to the traditional Unix user model (DAC), or possibly combine
|
||||
them with partitioning mechanisms.
|
||||
+ notes: >-
|
||||
+ Other partitioning mechanisms can include chroot and containers and are not contemplated
|
||||
+ in this requirement.
|
||||
+ automated: partially
|
||||
rules:
|
||||
- selinux_state
|
||||
- var_selinux_state=enforcing
|
||||
@@ -161,6 +165,7 @@ controls:
|
||||
The iommu = force directive must be added to the list of kernel parameters
|
||||
during startup in addition to those already present in the configuration
|
||||
files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).
|
||||
+ automated: yes
|
||||
rules:
|
||||
- grub2_enable_iommu_force
|
||||
|
||||
@@ -837,8 +842,8 @@ controls:
|
||||
not locally stored in clear), or possibly stored on a separate machine
|
||||
of the one on which the sealing is done.
|
||||
Check section "Database and config signing in AIDE manual"
|
||||
- https://github.com/aide/aide/blob/master/doc/manual.html
|
||||
- # rules: TBD
|
||||
+ https://aide.github.io/doc/#signing
|
||||
+ automated: no
|
||||
|
||||
- id: R53
|
||||
level: enhanced
|
||||
@@ -946,7 +951,7 @@ controls:
|
||||
title: Enable AppArmor security profiles
|
||||
description: >-
|
||||
All AppArmor security profiles on the system must be enabled by default.
|
||||
- # rules: TBD
|
||||
+ automated: no
|
||||
|
||||
- id: R66
|
||||
level: high
|
||||
@@ -990,6 +995,7 @@ controls:
|
||||
description: >-
|
||||
SELinux policy manipulation and debugging tools should not be installed
|
||||
on a machine in production.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- package_setroubleshoot_removed
|
||||
- package_setroubleshoot-server_removed
|
||||
@@ -1000,4 +1006,5 @@ controls:
|
||||
title: Confining interactive non-privileged users
|
||||
description: >-
|
||||
Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user.
|
||||
- # rules: TBD
|
||||
+ notes: Interactive users who still need to perform administrative tasks should not be confined with user_u.
|
||||
+ automated: no
|
||||
|
||||
From 98c310f893c31fb828c7ee17f9f8c7f7f11dde7a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 11 May 2021 17:31:11 +0200
|
||||
Subject: [PATCH 2/6] Update metadata of other ANSSI hardening levels
|
||||
|
||||
---
|
||||
controls/anssi.yml | 91 ++++++++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 75 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index e9b9f1b803..291af65f58 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -19,8 +19,10 @@ controls:
|
||||
Those whose presence can not be justified should be disabled, removed or deleted.
|
||||
automated: partially # The list of essential services is not objective.
|
||||
notes: >-
|
||||
- Use of obsolete or insecure services is not recommended.
|
||||
- The minimal install is a good starting point, but this doesn't provide any assurance over any package installed later.
|
||||
+ Manual review is required to assess if the installed services are minimal.
|
||||
+ In general, use of obsolete or insecure services is not recommended.
|
||||
+ Performing a minimal install is a good starting point, but doesn't provide any assurance
|
||||
+ over any package installed later.
|
||||
rules:
|
||||
- package_dhcp_removed
|
||||
#- package_rsh_removed
|
||||
@@ -45,10 +47,9 @@ controls:
|
||||
problematic from a security point of view.
|
||||
The features configured at the level of launched services should be limited to the strict
|
||||
minimum.
|
||||
+ automated: no
|
||||
notes: >-
|
||||
Define a list of most problematic components or features to be hardened or restricted.
|
||||
- # potential components: sshd, pam, chrony?
|
||||
- # rules: TBD
|
||||
|
||||
- id: R3
|
||||
level: enhanced
|
||||
@@ -109,7 +110,10 @@ controls:
|
||||
Network services should as much as possible be hosted on isolated environments.
|
||||
This avoids having other potentially affected services if one of them gets
|
||||
compromised under the same environment.
|
||||
- #rules: TBD
|
||||
+ notes: >-
|
||||
+ Manual analysis is required to determine if services are hosted appropriately in
|
||||
+ separate or isolated system while maintaining functionality.
|
||||
+ automated: no
|
||||
|
||||
- id: R7
|
||||
level: enhanced
|
||||
@@ -117,6 +121,7 @@ controls:
|
||||
description: >-
|
||||
The activities of the running system and services must be logged and
|
||||
archived on an external, non-local system.
|
||||
+ automated: yes
|
||||
rules:
|
||||
# The default remote loghost is logcollector.
|
||||
# Change the default value to the hostname or IP of the system to send the logs to
|
||||
@@ -235,6 +240,7 @@ controls:
|
||||
notes: >-
|
||||
The rule disabling auto-mount for /boot is commented until the rules checking for other
|
||||
/boot mount options are updated to handle this usecase.
|
||||
+ automated: no
|
||||
#rules:
|
||||
#- mount_option_boot_noauto
|
||||
|
||||
@@ -275,7 +281,7 @@ controls:
|
||||
hardening measures.
|
||||
Between two packages providing the same service, those subject to hardening
|
||||
(at compilation, installation, or default configuration) must be preferred.
|
||||
- #rules: TBD
|
||||
+ automated: no
|
||||
|
||||
- id: R17
|
||||
level: enhanced
|
||||
@@ -283,6 +289,7 @@ controls:
|
||||
description: >-
|
||||
A boot loader to protect the password boot must be to be privileged.
|
||||
This password must prevent any user from changing their configuration options.
|
||||
+ automated: yes # without remediation
|
||||
rules:
|
||||
- grub2_password
|
||||
- grub2_uefi_password
|
||||
@@ -358,12 +365,28 @@ controls:
|
||||
must be set up as soon as the system is installed: account and administration
|
||||
passwords, root authority certificates, public keys, or certificates of the
|
||||
host (and their respective private key).
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ This concerns two aspects, the first is administrative, and involves prompt
|
||||
+ installation of secrets or trusted elements by the sysadmin.
|
||||
+ The second involves removal of any default secret or trusted element
|
||||
+ configured by the operating system during install process, e.g. default
|
||||
+ known passwords.
|
||||
+ automated: no
|
||||
|
||||
- id: R21
|
||||
level: intermediary
|
||||
title: Hardening and monitoring of services subject to arbitrary flows
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ SELinux can provide confinement and monitoring of services, and AIDE provides
|
||||
+ basic integrity checking. System logs are configured as part of R43.
|
||||
+ Hardening of particular services should be done on a case by case basis and is
|
||||
+ not automated by this content.
|
||||
+ automated: partially
|
||||
+ rules:
|
||||
+ - selinux_state
|
||||
+ - var_selinux_state=enforcing
|
||||
+ - package_aide_installed
|
||||
+ - aide_build_database
|
||||
|
||||
- id: R22
|
||||
level: intermediary
|
||||
@@ -535,6 +558,7 @@ controls:
|
||||
sysctl kernel.modules_disabledconf:
|
||||
Prohibition of loading modules (except those already loaded to this point)
|
||||
kernel.modules_disabled = 1
|
||||
+ automated: yes # without remediation
|
||||
rules:
|
||||
- sysctl_kernel_modules_disabled
|
||||
|
||||
@@ -545,6 +569,7 @@ controls:
|
||||
It is recommended to load the Yama security module at startup (by example
|
||||
passing the security = yama argument to the kernel) and configure the
|
||||
sysctl kernel.yama.ptrace_scope to a value of at least 1.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sysctl_kernel_yama_ptrace_scope
|
||||
|
||||
@@ -553,13 +578,19 @@ controls:
|
||||
title: Disabling unused user accounts
|
||||
description: >-
|
||||
Unused user accounts must be disabled at the system level.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ The definition of unused user accounts is broad. It can include accounts
|
||||
+ whose owners don't use the system anymore, or users created by services
|
||||
+ or applicatons that should not be used.
|
||||
+ automated: no
|
||||
|
||||
- id: R27
|
||||
title: Disabling service accounts
|
||||
level: intermediary
|
||||
notes: >-
|
||||
It is difficult to generally identify the system's service accounts.
|
||||
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ are not enforced by the OS and can be changed over time.
|
||||
Assisting rules could list users which are not disabled for manual review.
|
||||
automated: no
|
||||
|
||||
@@ -568,7 +599,11 @@ controls:
|
||||
title: Uniqueness and exclusivity of system service accounts
|
||||
description: >-
|
||||
Each service must have its own system account and be dedicated to it exclusively.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ It is not trivial to identify wether a user account is a service account.
|
||||
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ are not enforced by the OS and can be changed over time.
|
||||
+ automated: no
|
||||
|
||||
- id: R29
|
||||
level: enhanced
|
||||
@@ -778,6 +813,7 @@ controls:
|
||||
description: >-
|
||||
The syslog services must be isolated from the rest of the system in a
|
||||
dedicated container.
|
||||
+ automated: no
|
||||
# rules: TBD
|
||||
|
||||
- id: R46
|
||||
@@ -825,6 +861,7 @@ controls:
|
||||
This includes: directories containing executables, libraries,
|
||||
configuration files, as well as any files that may contain sensitive
|
||||
elements (cryptographic keys, passwords, confidential data).
|
||||
+ automated: yes
|
||||
rules:
|
||||
- package_aide_installed
|
||||
- aide_build_database
|
||||
@@ -851,7 +888,12 @@ controls:
|
||||
description: >-
|
||||
The deployed services must have their access restricted to the system
|
||||
strict minimum, especially when it comes to files, processes or network.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ SELinux policies limit the privileges of services and daemons to only what they require.
|
||||
+ automated: partially
|
||||
+ rules:
|
||||
+ - selinux_policytype
|
||||
+ - var_selinux_policy_name=targeted
|
||||
|
||||
- id: R54
|
||||
level: enhanced
|
||||
@@ -859,17 +901,24 @@ controls:
|
||||
description: >-
|
||||
Each component supporting the virtualization must be hardened, especially
|
||||
by applying technical measures to counter the exploit attempts.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ It may be interesting to point out virtulization components that are installed and
|
||||
+ should be hardened.
|
||||
+ automated: no
|
||||
|
||||
- id: R55
|
||||
level: intermediary
|
||||
title: chroot jail and access right for partitioned service
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Automation to restrict access and chroot services is not generally reliable.
|
||||
+ autmated: no
|
||||
|
||||
- id: R56
|
||||
level: intermediary
|
||||
title: Enablement and usage of chroot by a service
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Automation to restrict access and chroot services is not generally reliable.
|
||||
+ automated: no
|
||||
|
||||
- id: R57
|
||||
level: intermediary
|
||||
@@ -924,7 +973,10 @@ controls:
|
||||
description: >-
|
||||
The commands requiring the execution of sub-processes (EXEC tag) must be
|
||||
explicitly listed and their use should be reduced to a strict minimum.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Human review is required to assess if the commands requiring EXEC is minimal.
|
||||
+ An auxiliary rule could list rules containing EXEC tag, for analysis.
|
||||
+ automated: no
|
||||
|
||||
- id: R62
|
||||
level: intermediary
|
||||
@@ -944,7 +996,13 @@ controls:
|
||||
- id: R64
|
||||
level: intermediary
|
||||
title: Good use of sudoedit
|
||||
- # rules: TBD
|
||||
+ description: A file requiring sudo to be edited, must be edited through the sudoedit command.
|
||||
+ notes: >-
|
||||
+ In R62 we established that the sudoers files should not use negations, thus the approach
|
||||
+ for this requirement is to ensure that sudoedit is the only text editor allowed.
|
||||
+ But it is difficult to ensure that allowed binaries aren't text editors without human
|
||||
+ review.
|
||||
+ automated: no
|
||||
|
||||
- id: R65
|
||||
level: high
|
||||
@@ -959,6 +1017,7 @@ controls:
|
||||
description: >-
|
||||
It is recommended to enable the targeted policy when the distribution
|
||||
support it and that it does not operate another security module than SELinux.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- selinux_policytype
|
||||
- var_selinux_policy_name=targeted
|
||||
|
||||
From 655c8ab2d778f0826cb9cb9f3052bb5d49fcbbc4 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 11 May 2021 17:49:42 +0200
|
||||
Subject: [PATCH 3/6] Undraft RHEL ANSSI High profiles
|
||||
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_high.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index 22efad9c09..560460b55f 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
+title: 'ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index 22efad9c09..560460b55f 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
+title: 'ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
From 227baf32a959a94df241f49016aa23da2917de88 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Yuuma Sato <wsato@redhat.com>
|
||||
Date: Fri, 14 May 2021 10:58:50 +0200
|
||||
Subject: [PATCH 4/6] Fix typos and improve language
|
||||
|
||||
Co-authored-by: vojtapolasek <krecoun@gmail.com>
|
||||
---
|
||||
controls/anssi.yml | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 291af65f58..81d099e98b 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -581,7 +581,7 @@ controls:
|
||||
notes: >-
|
||||
The definition of unused user accounts is broad. It can include accounts
|
||||
whose owners don't use the system anymore, or users created by services
|
||||
- or applicatons that should not be used.
|
||||
+ or applications that should not be used.
|
||||
automated: no
|
||||
|
||||
- id: R27
|
||||
@@ -589,7 +589,7 @@ controls:
|
||||
level: intermediary
|
||||
notes: >-
|
||||
It is difficult to generally identify the system's service accounts.
|
||||
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
|
||||
are not enforced by the OS and can be changed over time.
|
||||
Assisting rules could list users which are not disabled for manual review.
|
||||
automated: no
|
||||
@@ -600,8 +600,8 @@ controls:
|
||||
description: >-
|
||||
Each service must have its own system account and be dedicated to it exclusively.
|
||||
notes: >-
|
||||
- It is not trivial to identify wether a user account is a service account.
|
||||
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ It is not trivial to identify whether a user account is a service account.
|
||||
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
|
||||
are not enforced by the OS and can be changed over time.
|
||||
automated: no
|
||||
|
||||
@@ -889,7 +889,7 @@ controls:
|
||||
The deployed services must have their access restricted to the system
|
||||
strict minimum, especially when it comes to files, processes or network.
|
||||
notes: >-
|
||||
- SELinux policies limit the privileges of services and daemons to only what they require.
|
||||
+ SELinux policies limit the privileges of services and daemons just to those which are required.
|
||||
automated: partially
|
||||
rules:
|
||||
- selinux_policytype
|
||||
@@ -902,7 +902,7 @@ controls:
|
||||
Each component supporting the virtualization must be hardened, especially
|
||||
by applying technical measures to counter the exploit attempts.
|
||||
notes: >-
|
||||
- It may be interesting to point out virtulization components that are installed and
|
||||
+ It may be interesting to point out virtualization components that are installed and
|
||||
should be hardened.
|
||||
automated: no
|
||||
|
||||
@@ -910,14 +910,14 @@ controls:
|
||||
level: intermediary
|
||||
title: chroot jail and access right for partitioned service
|
||||
notes: >-
|
||||
- Automation to restrict access and chroot services is not generally reliable.
|
||||
- autmated: no
|
||||
+ Using automation to restrict access and chroot services is not generally reliable.
|
||||
+ automated: no
|
||||
|
||||
- id: R56
|
||||
level: intermediary
|
||||
title: Enablement and usage of chroot by a service
|
||||
notes: >-
|
||||
- Automation to restrict access and chroot services is not generally reliable.
|
||||
+ Using automation to restrict access and chroot services is not generally reliable.
|
||||
automated: no
|
||||
|
||||
- id: R57
|
||||
@@ -974,7 +974,7 @@ controls:
|
||||
The commands requiring the execution of sub-processes (EXEC tag) must be
|
||||
explicitly listed and their use should be reduced to a strict minimum.
|
||||
notes: >-
|
||||
- Human review is required to assess if the commands requiring EXEC is minimal.
|
||||
+ Human review is required to assess if the set of commands requiring EXEC is minimal.
|
||||
An auxiliary rule could list rules containing EXEC tag, for analysis.
|
||||
automated: no
|
||||
|
||||
|
||||
From 7bf2131e20bcf5a64e21b66afba48008324b058a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 14 May 2021 11:41:30 +0200
|
||||
Subject: [PATCH 5/6] Update R1 notes and selected rule
|
||||
|
||||
---
|
||||
controls/anssi.yml | 28 +++++++++----------
|
||||
.../package_xinetd_removed/rule.yml | 1 +
|
||||
.../nis/package_ypbind_removed/rule.yml | 1 +
|
||||
.../nis/package_ypserv_removed/rule.yml | 1 +
|
||||
.../package_rsh-server_removed/rule.yml | 1 +
|
||||
.../r_services/package_rsh_removed/rule.yml | 1 +
|
||||
.../talk/package_talk-server_removed/rule.yml | 1 +
|
||||
.../talk/package_talk_removed/rule.yml | 1 +
|
||||
.../package_telnet-server_removed/rule.yml | 1 +
|
||||
.../telnet/package_telnet_removed/rule.yml | 1 +
|
||||
.../tftp/package_tftp-server_removed/rule.yml | 1 +
|
||||
.../tftp/package_tftp_removed/rule.yml | 4 +++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
13 files changed, 28 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 81d099e98b..ebee9c4259 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -19,25 +19,25 @@ controls:
|
||||
Those whose presence can not be justified should be disabled, removed or deleted.
|
||||
automated: partially # The list of essential services is not objective.
|
||||
notes: >-
|
||||
- Manual review is required to assess if the installed services are minimal.
|
||||
- In general, use of obsolete or insecure services is not recommended.
|
||||
Performing a minimal install is a good starting point, but doesn't provide any assurance
|
||||
over any package installed later.
|
||||
+ Manual review is required to assess if the installed services are minimal.
|
||||
+ In general, use of obsolete or insecure services is not recommended and we remove some
|
||||
+ of these in this recommendation.
|
||||
rules:
|
||||
- package_dhcp_removed
|
||||
- #- package_rsh_removed
|
||||
- #- package_rsh-server_removed
|
||||
+ - package_rsh_removed
|
||||
+ - package_rsh-server_removed
|
||||
- package_sendmail_removed
|
||||
- - package_telnetd_removed
|
||||
- #- package_talk_removed
|
||||
- #- package_talk-server_removed
|
||||
- #- package_telnet_removed
|
||||
- #- package_telnet-server_removed
|
||||
- #- package_tftp_removed
|
||||
- #- package_tftp-server_removed
|
||||
- #- package_xinetd_removed
|
||||
- #- package_ypbind_removed
|
||||
- #- package_ypserv_removed
|
||||
+ - package_talk_removed
|
||||
+ - package_talk-server_removed
|
||||
+ - package_telnet_removed
|
||||
+ - package_telnet-server_removed
|
||||
+ - package_tftp_removed
|
||||
+ - package_tftp-server_removed
|
||||
+ - package_xinetd_removed
|
||||
+ - package_ypbind_removed
|
||||
+ - package_ypserv_removed
|
||||
|
||||
- id: R2
|
||||
level: intermediary
|
||||
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||||
index e2431be9c5..9494025449 100644
|
||||
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||||
@@ -18,6 +18,7 @@ identifiers:
|
||||
cce@rhel8: CCE-80850-1
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel8: 2.1.1
|
||||
disa: CCI-000305
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
index 97e27e2a4c..e836dc6fb1 100644
|
||||
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
@@ -24,6 +24,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82181-9
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.1
|
||||
cis@rhel8: 2.3.1
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
index ac1d8e6f4c..7ca7a67e69 100644
|
||||
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82432-6
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-020010
|
||||
cis@rhel7: 2.2.16
|
||||
cis@rhel8: 2.2.17
|
||||
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||||
index 21f4d7bae6..33c36cde67 100644
|
||||
--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82184-3
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-020000
|
||||
disa: CCI-000381
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||||
index c8f4673a3a..dbc6bd7329 100644
|
||||
--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||||
@@ -23,6 +23,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82183-5
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.2
|
||||
cui: 3.1.13
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||||
index 12971558e9..e46e4f55d0 100644
|
||||
--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||||
@@ -18,6 +18,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82180-1
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.2.18
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
|
||||
diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||||
index 68e804ba38..24743fc2d6 100644
|
||||
--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||||
@@ -23,6 +23,7 @@ identifiers:
|
||||
cce@rhel8: CCE-80848-5
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.3
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
|
||||
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
index 7bb5ed5da3..24cf50ff29 100644
|
||||
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
@@ -31,6 +31,7 @@ identifiers:
|
||||
cce@sle15: CCE-83273-3
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-021710
|
||||
cis@rhel7: 2.1.19
|
||||
disa: CCI-000381
|
||||
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||||
index 1b0128ec06..afef488734 100644
|
||||
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||||
@@ -21,6 +21,7 @@ identifiers:
|
||||
cce@rhel8: CCE-80849-3
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.4
|
||||
cis@rhel8: 2.3.2
|
||||
cui: 3.1.13
|
||||
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||||
index 3fcc8db4c8..ca25bb2124 100644
|
||||
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82436-7
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-040700
|
||||
disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814
|
||||
nist: CM-7(a),CM-7(b),CM-6(a)
|
||||
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
|
||||
index c3a501259c..0be9a60d38 100644
|
||||
--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
|
||||
@@ -19,6 +19,10 @@ severity: low
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80443-5
|
||||
+ cce@rhel8: CCE-83590-0
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R1)
|
||||
|
||||
ocil: '{{{ describe_package_remove(package="tftp") }}}'
|
||||
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 4c4f8c3aa3..b719186add 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -91,7 +91,6 @@ CCE-83584-3
|
||||
CCE-83587-6
|
||||
CCE-83588-4
|
||||
CCE-83589-2
|
||||
-CCE-83590-0
|
||||
CCE-83592-6
|
||||
CCE-83594-2
|
||||
CCE-83595-9
|
||||
|
||||
From c8124b72c208951b3ac2a4da1f8c64157f6be69b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 14 May 2021 11:43:32 +0200
|
||||
Subject: [PATCH 6/6] Update R5 notes and rule selection
|
||||
|
||||
Note commented rules as related, and potentially useful.
|
||||
---
|
||||
controls/anssi.yml | 16 +++++++++-------
|
||||
1 file changed, 9 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index ebee9c4259..bba7148da9 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -88,20 +88,22 @@ controls:
|
||||
automated: partially
|
||||
notes: >-
|
||||
Defense in-depth can be broadly divided into three areas - physical, technical and
|
||||
- administrative. The security profile is best suitedto protect the technical area.
|
||||
+ administrative. The security profile is best suited to protect the technical area.
|
||||
Among the barriers that can be implemented within the technical area are antivirus software,
|
||||
authentication, multi-factor authentication, encryption, logging, auditing, sandboxing,
|
||||
intrusion detection systems, firewalls and vulnerability scanners.
|
||||
+ The selection below is not in any way exaustive and should be adapted to the system's needs.
|
||||
rules:
|
||||
- #- package_audit_installed
|
||||
- #- service_auditd_enabled
|
||||
- sudo_remove_no_authenticate
|
||||
- package_rsyslog_installed
|
||||
- service_rsyslog_enabled
|
||||
- #- package_ntp_installed
|
||||
- #- package_firewalld_installed
|
||||
- #- service_firewalld_enabled
|
||||
- #- sssd_enable_smartcards
|
||||
+ related_rules:
|
||||
+ - package_audit_installed
|
||||
+ - service_auditd_enabled
|
||||
+ - package_ntp_installed
|
||||
+ - package_firewalld_installed
|
||||
+ - service_firewalld_enabled
|
||||
+ - sssd_enable_smartcards
|
||||
|
||||
- id: R6
|
||||
level: enhanced
|
@ -1,28 +1,33 @@
|
||||
# Base name of static rhel6 content tarball
|
||||
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
|
||||
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||
%global _vpath_builddir build
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.56
|
||||
Release: 2%{?dist}
|
||||
Version: 0.1.57
|
||||
Release: 1%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
Group: Applications/System
|
||||
License: BSD
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Include tarball with last released rhel6 content
|
||||
Source1: %{_static_rhel6_content}.tar.bz2
|
||||
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
Patch1: scap-security-guide-0.1.57-select_seboolean_rules_for_ANSSI-PR_6988.patch
|
||||
Patch2: scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch
|
||||
Patch3: scap-security-guide-0.1.57-update_ANSSI_profiles_metadata-PR_6997.patch
|
||||
Patch4: scap-security-guide-0.1.57-ansible-playbooks-per-rule-PR_7039.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
BuildRequires: openscap-scanner >= 1.2.5
|
||||
BuildRequires: cmake >= 2.8
|
||||
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
||||
BuildRequires: /usr/bin/python3
|
||||
BuildRequires: libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML
|
||||
BuildRequires: python%{python3_pkgversion}
|
||||
BuildRequires: python%{python3_pkgversion}-jinja2
|
||||
BuildRequires: python%{python3_pkgversion}-PyYAML
|
||||
Requires: xml-common, openscap-scanner >= 1.2.5
|
||||
Obsoletes: openscap-content < 0:0.9.13
|
||||
Provides: openscap-content
|
||||
@ -33,11 +38,11 @@ system from the final system's security point of view. The guidance is specified
|
||||
in the Security Content Automation Protocol (SCAP) format and constitutes
|
||||
a catalog of practical hardening advice, linked to government requirements
|
||||
where applicable. The project bridges the gap between generalized policy
|
||||
requirements and specific implementation guidelines. The Red Hat Enterprise
|
||||
Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
|
||||
package, or the scap-workbench GUI tool from scap-workbench package to verify
|
||||
that the system conforms to provided guideline. Refer to scap-security-guide(8)
|
||||
manual page for further information.
|
||||
requirements and specific implementation guidelines. The system
|
||||
administrator can use the oscap CLI tool from openscap-scanner package, or the
|
||||
scap-workbench GUI tool from scap-workbench package to verify that the system
|
||||
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
|
||||
further information.
|
||||
|
||||
%package doc
|
||||
Summary: HTML formatted security guides generated from XCCDF benchmarks
|
||||
@ -49,7 +54,7 @@ The %{name}-doc package contains HTML formatted documents containing
|
||||
hardening guidances that have been generated from XCCDF benchmarks
|
||||
present in %{name} package.
|
||||
|
||||
%if %{defined rhel}
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%package rule-playbooks
|
||||
Summary: Ansible playbooks per each rule.
|
||||
Group: System Environment/Base
|
||||
@ -60,15 +65,10 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup -q -b 1
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
mkdir build
|
||||
%autosetup -p1 -b1
|
||||
|
||||
%build
|
||||
mkdir -p build
|
||||
cd build
|
||||
%cmake \
|
||||
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
|
||||
@ -82,15 +82,15 @@ cd build
|
||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||
%endif
|
||||
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||
%if %{defined rhel}
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
|
||||
%endif
|
||||
../
|
||||
%make_build
|
||||
%cmake_build
|
||||
|
||||
%install
|
||||
cd build
|
||||
%make_install
|
||||
%cmake_install
|
||||
|
||||
# Manually install pre-built rhel6 content
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
|
||||
@ -106,7 +106,7 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
|
||||
%doc %{_docdir}/%{name}/LICENSE
|
||||
%doc %{_docdir}/%{name}/README.md
|
||||
%doc %{_docdir}/%{name}/Contributors.md
|
||||
%if %{defined rhel}
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
@ -114,13 +114,17 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
|
||||
%doc %{_docdir}/%{name}/guides/*.html
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%if %{defined rhel}
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%files rule-playbooks
|
||||
%defattr(-,root,root,-)
|
||||
%{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
|
||||
- Update to the latest upstream release (RHBZ#1966577)
|
||||
- Enable the ISM profile.
|
||||
|
||||
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
|
||||
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user