import scap-security-guide-0.1.57-1.el8

This commit is contained in:
CentOS Sources 2021-08-10 04:26:16 +00:00 committed by Andrew Lukoshko
parent 9be20b0383
commit b842fea880
8 changed files with 45 additions and 1104 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
SOURCES/scap-security-guide-0.1.56.tar.bz2 SOURCES/scap-security-guide-0.1.57.tar.bz2

View File

@ -1,2 +1,2 @@
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
68280f72027ec89fda4b861fda932110d833d0d1 SOURCES/scap-security-guide-0.1.56.tar.bz2 d78bdc956df4301c3b3bbb2f9f24d809d7b1d08c SOURCES/scap-security-guide-0.1.57.tar.bz2

View File

@ -1,22 +1,7 @@
From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 3 Dec 2020 14:35:47 +0100
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
---
rhel8/CMakeLists.txt | 6 ------
rhel8/profiles/cjis.profile | 2 +-
rhel8/profiles/ism_o.profile | 2 +-
rhel8/profiles/rhelh-stig.profile | 2 +-
rhel8/profiles/rhelh-vpp.profile | 2 +-
rhel8/profiles/rht-ccp.profile | 2 +-
rhel8/profiles/standard.profile | 2 +-
11 files changed, 10 insertions(+), 16 deletions(-)
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
index d61689c97..5e444a101 100644 index d61689c97..5e444a101 100644
--- a/rhel8/CMakeLists.txt --- a/products/rhel8/CMakeLists.txt
+++ b/rhel8/CMakeLists.txt +++ b/products/rhel8/CMakeLists.txt
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") @@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
ssg_build_html_table_by_ref(${PRODUCT} "pcidss") ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
ssg_build_html_table_by_ref(${PRODUCT} "anssi") ssg_build_html_table_by_ref(${PRODUCT} "anssi")
@ -33,60 +18,30 @@ index d61689c97..5e444a101 100644
ssg_build_html_cce_table(${PRODUCT}) ssg_build_html_cce_table(${PRODUCT})
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE}) ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
index 035d2705b..c6475f33e 100644 index 035d2705b..c6475f33e 100644
--- a/rhel8/profiles/cjis.profile --- a/products/rhel8/profiles/cjis.profile
+++ b/rhel8/profiles/cjis.profile +++ b/products/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
-documentation_complete: true -documentation_complete: true
+documentation_complete: false +documentation_complete: false
metadata: metadata:
version: 5.4 version: 5.4
diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
index a3c427c01..4605dea3b 100644
--- a/rhel8/profiles/ism_o.profile
+++ b/rhel8/profiles/ism_o.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
metadata:
SMEs:
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
index 1efca5f44..c3d0b0964 100644
--- a/rhel8/profiles/rhelh-stig.profile
+++ b/rhel8/profiles/rhelh-stig.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile
index 2baee6d66..8592d7aaf 100644
--- a/rhel8/profiles/rhelh-vpp.profile
+++ b/rhel8/profiles/rhelh-vpp.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
index c84579592..164ec98c4 100644 index c84579592..164ec98c4 100644
--- a/rhel8/profiles/rht-ccp.profile --- a/products/rhel8/profiles/rht-ccp.profile
+++ b/rhel8/profiles/rht-ccp.profile +++ b/products/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
-documentation_complete: true -documentation_complete: true
+documentation_complete: false +documentation_complete: false
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
index a63ae2cf3..da669bb84 100644 index a63ae2cf3..da669bb84 100644
--- a/rhel8/profiles/standard.profile --- a/products/rhel8/profiles/standard.profile
+++ b/rhel8/profiles/standard.profile +++ b/products/rhel8/profiles/standard.profile
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
-documentation_complete: true -documentation_complete: true
+documentation_complete: false +documentation_complete: false

View File

@ -1,115 +0,0 @@
From d97cd9112ba9f3958e6658775a8a31e44bd0f0e9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 5 Jan 2021 18:03:24 +0100
Subject: [PATCH] Add rule sudo_add_passwd_timeout
This rule configures sudo password prompt timeout.
---
controls/anssi.yml | 3 +-
.../sudo/sudo_add_passwd_timeout/rule.yml | 40 +++++++++++++++++++
.../software/sudo/var_sudo_passwd_timeout.var | 21 ++++++++++
shared/references/cce-redhat-avail.txt | 2 -
4 files changed, 63 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
create mode 100644 linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 705f8e25aab..5120456230b 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -892,7 +892,8 @@ controls:
- var_sudo_umask=0027
- sudo_add_ignore_dot
- sudo_add_env_reset
- # passwd_timeout=1
+ - sudo_add_passwd_timeout
+ - var_sudo_passwd_timeout=1_minute
- id: R59
level: minimal
diff --git a/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
new file mode 100644
index 00000000000..ae3399527f4
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: ol7,ol8,rhel7,rhel8
+
+title: 'Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout'
+
+description: |-
+ The sudo <tt>passwd_timeout</tt> tag sets the amount of time sudo password prompt waits.
+{{%- if product in ["rhel7", "rhel8"] %}}
+ On {{{ full_name }}}, the default <tt>passwd_timeout</tt> value is 5 minutes.
+{{% endif %}}
+ The passwd_timeout should be configured by making sure that the
+ <tt>passwd_timeout=sub_var_value("var_sudo_passwd_timeout")</tt> tag exists in
+ <tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
+ in <tt>/etc/sudoers.d/</tt>.
+
+rationale: |-
+ Reducing the time <tt>sudo</tt> waits for a a password reduces the time the process is exposed.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83963-9
+ cce@rhel8: CCE-83964-7
+
+references:
+ anssi: BP28(R58)
+
+ocil_clause: 'passwd_timeout is not set with the appropriate value for sudo'
+
+ocil: |-
+ To determine if <tt>passwd_timeout</tt> has been configured for sudo, run the following command:
+ <pre>$ sudo grep -ri '^Defaults.*passwd_timeout=sub_var_value("var_sudo_passwd_timeout")' /etc/sudoers /etc/sudoers.d/</pre>
+ The command should return a matching output.
+
+template:
+ name: sudo_defaults_option
+ vars:
+ option: passwd_timeout
+ variable_name: "var_sudo_passwd_timeout"
diff --git a/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
new file mode 100644
index 00000000000..4a9dcd5bb7b
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+title: 'Sudo - passwd_timeout value'
+
+description: |-
+ Defines the number of minutes before the <tt>sudo</tt> password prompt times out.
+ Defining 0 means no timeout. The default timeout value is 5 minutes.
+
+interactive: false
+
+type: string
+
+operator: equals
+
+options:
+ default: "5"
+ infinite: "0"
+ 1_minute: "1"
+ 2_minutes: "2"
+ 3_minutes: "3"
+ 5_minutes: "5"
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 61391f50c2d..e095e405f66 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -349,8 +349,6 @@ CCE-83959-7
CCE-83960-5
CCE-83961-3
CCE-83962-1
-CCE-83963-9
-CCE-83964-7
CCE-83965-4
CCE-83966-2
CCE-83967-0

View File

@ -1,76 +0,0 @@
commit c58a2b0af3c8094446df1850cb1c943d51b2ec5f
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Tue Jun 8 13:40:28 2021 +0200
Add option to enable installation of individual ansible playbooks per rule.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6995944..bd317c0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -46,6 +46,7 @@ option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck vali
option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE)
option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
+option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE)
option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
@@ -231,6 +232,7 @@ message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENA
message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}")
message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}")
message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
+message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}")
if (SSG_JINJA2_CACHE_ENABLED)
message(STATUS "jinja2 cache: enabled")
message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}")
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index b487a0b..b7db7fd 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -746,8 +746,12 @@ macro(ssg_build_product PRODUCT)
ssg_build_xccdf_unlinked(${PRODUCT})
ssg_build_ocil_unlinked(${PRODUCT})
ssg_build_remediations(${PRODUCT})
- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
ssg_build_ansible_playbooks(${PRODUCT})
+ add_dependencies(
+ ${PRODUCT}-content
+ generate-${PRODUCT}-ansible-playbooks
+ )
endif()
ssg_build_xccdf_with_remediations(${PRODUCT})
ssg_build_oval_unlinked(${PRODUCT})
@@ -778,10 +782,6 @@ macro(ssg_build_product PRODUCT)
add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml")
if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
- add_dependencies(
- ${PRODUCT}-content
- generate-${PRODUCT}-ansible-playbooks
- )
ssg_build_profile_playbooks(${PRODUCT})
add_custom_target(
${PRODUCT}-profile-playbooks
@@ -885,6 +885,20 @@ macro(ssg_build_product PRODUCT)
endif()
"
)
+ if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
+ install(
+ CODE "
+ file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*\") \n
+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks)
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
+ else()
+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
+ endif()
+ "
+ )
+ endif()
# grab all the kickstarts (if any) and install them
file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg")

View File

@ -1,120 +0,0 @@
From 82c99e8de8f2ffef7d340fd7c1d9088367650eb5 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 10 May 2021 18:53:02 +0200
Subject: [PATCH] Update and select seboolean rules for R67
Fix description of sebool_deny_execmem, and warning about possible
issues.
Add rationale to rules the SELinux booleans.
---
controls/anssi.yml | 14 +++++++++---
.../sebool_deny_execmem/rule.yml | 22 ++++++++++++++-----
.../sebool_selinuxuser_execheap/rule.yml | 4 +++-
.../sebool_selinuxuser_execstack/rule.yml | 3 ++-
4 files changed, 33 insertions(+), 10 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 705f8e25aab..ef9356a6fea 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -967,10 +967,18 @@ controls:
allow_execstack to off, forbids processes to make their stack executable;
secure_mode_insmod to on, prohibits dynamic loading of modules by any process;
ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role.
+ notes:
+ In RHEL, the SELinux boolean allow_execheap is renamed to selinuxuser_execheap, and the
+ boolean allow_execstack is renamed to selinuxuser_execstack. And allow_execmem is not
+ available, deny_execmem provides the same functionality.
+ automated: yes
rules:
- # Add rule for sebool allow_execheap
- # Add rule for sebool allow_execmem
- # Add rule for sebool allow_execstack
+ - var_selinuxuser_execheap=off
+ - sebool_selinuxuser_execheap
+ - var_deny_execmem=on
+ - sebool_deny_execmem
+ - var_selinuxuser_execstack=off
+ - sebool_selinuxuser_execstack
- var_secure_mode_insmod=on
- sebool_secure_mode_insmod
- sebool_ssh_sysadm_login
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
index f340ea4be11..e8453fbfb8d 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
@@ -2,14 +2,16 @@ documentation_complete: true
prodtype: rhel7,rhel8,rhel9,rhv4
-title: 'Disable the deny_execmem SELinux Boolean'
+title: 'Enable the deny_execmem SELinux Boolean'
description: |-
By default, the SELinux boolean <tt>deny_execmem</tt> is disabled.
- If this setting is enabled, it should be disabled.
+ If this setting is disabled, it should be enabled.
{{{ describe_sebool_disable(sebool="deny_execmem") }}}
-rationale: ""
+rationale: |-
+ Allowing user domain applications to map a memory region as both writable and
+ executable makes them more susceptible to data execution attacks.
severity: medium
@@ -19,10 +21,20 @@ identifiers:
references:
anssi: BP28(R67)
-
-{{{ complete_ocil_entry_sebool_disabled(sebool="deny_execmem") }}}
+
+{{{ complete_ocil_entry_sebool_enabled(sebool="deny_execmem") }}}
+
+warnings:
+ - general: |-
+ This rule doesn't come with a remediation, as enabling this SELinux boolean can cause
+ applications to malfunction, for example Graphical login managers and Firefox.
+ - functionality: |-
+ Proper function and stability should be assessed before applying enabling the SELinux boolean in production systems.
template:
name: sebool
vars:
seboolid: deny_execmem
+ backends:
+ bash: "off"
+ ansible: "off"
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
index 45aa81a1223..7fedaab6130 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
@@ -6,10 +6,12 @@ title: 'Disable the selinuxuser_execheap SELinux Boolean'
description: |-
By default, the SELinux boolean <tt>selinuxuser_execheap</tt> is disabled.
+ When enabled this boolean is enabled it allows selinuxusers to execute code from the heap.
If this setting is enabled, it should be disabled.
{{{ describe_sebool_disable(sebool="selinuxuser_execheap") }}}
-rationale: ""
+rationale: |-
+ Disabling code execution from the heap blocks buffer overflow attacks.
severity: medium
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
index 2b20d0bfe4f..2e0b19f881d 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
@@ -10,7 +10,8 @@ description: |-
to make their stack executable.
{{{ describe_sebool_disable(sebool="selinuxuser_execstack") }}}
-rationale: ""
+rationale: |-
+ Disabling code execution from the stack blocks buffer overflow attacks.
severity: medium

View File

@ -1,707 +0,0 @@
From 6006e997000ab19aa59df24b074feb285ec4e586 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 11 May 2021 17:14:24 +0200
Subject: [PATCH 1/6] Update ANSSI metadata for High level hardening
---
controls/anssi.yml | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 2053de05c0..e9b9f1b803 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -70,6 +70,10 @@ controls:
It is recommended to use the mandatory access control (MAC) features in
addition to the traditional Unix user model (DAC), or possibly combine
them with partitioning mechanisms.
+ notes: >-
+ Other partitioning mechanisms can include chroot and containers and are not contemplated
+ in this requirement.
+ automated: partially
rules:
- selinux_state
- var_selinux_state=enforcing
@@ -161,6 +165,7 @@ controls:
The iommu = force directive must be added to the list of kernel parameters
during startup in addition to those already present in the configuration
files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).
+ automated: yes
rules:
- grub2_enable_iommu_force
@@ -837,8 +842,8 @@ controls:
not locally stored in clear), or possibly stored on a separate machine
of the one on which the sealing is done.
Check section "Database and config signing in AIDE manual"
- https://github.com/aide/aide/blob/master/doc/manual.html
- # rules: TBD
+ https://aide.github.io/doc/#signing
+ automated: no
- id: R53
level: enhanced
@@ -946,7 +951,7 @@ controls:
title: Enable AppArmor security profiles
description: >-
All AppArmor security profiles on the system must be enabled by default.
- # rules: TBD
+ automated: no
- id: R66
level: high
@@ -990,6 +995,7 @@ controls:
description: >-
SELinux policy manipulation and debugging tools should not be installed
on a machine in production.
+ automated: yes
rules:
- package_setroubleshoot_removed
- package_setroubleshoot-server_removed
@@ -1000,4 +1006,5 @@ controls:
title: Confining interactive non-privileged users
description: >-
Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user.
- # rules: TBD
+ notes: Interactive users who still need to perform administrative tasks should not be confined with user_u.
+ automated: no
From 98c310f893c31fb828c7ee17f9f8c7f7f11dde7a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 11 May 2021 17:31:11 +0200
Subject: [PATCH 2/6] Update metadata of other ANSSI hardening levels
---
controls/anssi.yml | 91 ++++++++++++++++++++++++++++++++++++++--------
1 file changed, 75 insertions(+), 16 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index e9b9f1b803..291af65f58 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -19,8 +19,10 @@ controls:
Those whose presence can not be justified should be disabled, removed or deleted.
automated: partially # The list of essential services is not objective.
notes: >-
- Use of obsolete or insecure services is not recommended.
- The minimal install is a good starting point, but this doesn't provide any assurance over any package installed later.
+ Manual review is required to assess if the installed services are minimal.
+ In general, use of obsolete or insecure services is not recommended.
+ Performing a minimal install is a good starting point, but doesn't provide any assurance
+ over any package installed later.
rules:
- package_dhcp_removed
#- package_rsh_removed
@@ -45,10 +47,9 @@ controls:
problematic from a security point of view.
The features configured at the level of launched services should be limited to the strict
minimum.
+ automated: no
notes: >-
Define a list of most problematic components or features to be hardened or restricted.
- # potential components: sshd, pam, chrony?
- # rules: TBD
- id: R3
level: enhanced
@@ -109,7 +110,10 @@ controls:
Network services should as much as possible be hosted on isolated environments.
This avoids having other potentially affected services if one of them gets
compromised under the same environment.
- #rules: TBD
+ notes: >-
+ Manual analysis is required to determine if services are hosted appropriately in
+ separate or isolated system while maintaining functionality.
+ automated: no
- id: R7
level: enhanced
@@ -117,6 +121,7 @@ controls:
description: >-
The activities of the running system and services must be logged and
archived on an external, non-local system.
+ automated: yes
rules:
# The default remote loghost is logcollector.
# Change the default value to the hostname or IP of the system to send the logs to
@@ -235,6 +240,7 @@ controls:
notes: >-
The rule disabling auto-mount for /boot is commented until the rules checking for other
/boot mount options are updated to handle this usecase.
+ automated: no
#rules:
#- mount_option_boot_noauto
@@ -275,7 +281,7 @@ controls:
hardening measures.
Between two packages providing the same service, those subject to hardening
(at compilation, installation, or default configuration) must be preferred.
- #rules: TBD
+ automated: no
- id: R17
level: enhanced
@@ -283,6 +289,7 @@ controls:
description: >-
A boot loader to protect the password boot must be to be privileged.
This password must prevent any user from changing their configuration options.
+ automated: yes # without remediation
rules:
- grub2_password
- grub2_uefi_password
@@ -358,12 +365,28 @@ controls:
must be set up as soon as the system is installed: account and administration
passwords, root authority certificates, public keys, or certificates of the
host (and their respective private key).
- # rules: TBD
+ notes: >-
+ This concerns two aspects, the first is administrative, and involves prompt
+ installation of secrets or trusted elements by the sysadmin.
+ The second involves removal of any default secret or trusted element
+ configured by the operating system during install process, e.g. default
+ known passwords.
+ automated: no
- id: R21
level: intermediary
title: Hardening and monitoring of services subject to arbitrary flows
- # rules: TBD
+ notes: >-
+ SELinux can provide confinement and monitoring of services, and AIDE provides
+ basic integrity checking. System logs are configured as part of R43.
+ Hardening of particular services should be done on a case by case basis and is
+ not automated by this content.
+ automated: partially
+ rules:
+ - selinux_state
+ - var_selinux_state=enforcing
+ - package_aide_installed
+ - aide_build_database
- id: R22
level: intermediary
@@ -535,6 +558,7 @@ controls:
sysctl kernel.modules_disabledconf:
Prohibition of loading modules (except those already loaded to this point)
kernel.modules_disabled = 1
+ automated: yes # without remediation
rules:
- sysctl_kernel_modules_disabled
@@ -545,6 +569,7 @@ controls:
It is recommended to load the Yama security module at startup (by example
passing the security = yama argument to the kernel) and configure the
sysctl kernel.yama.ptrace_scope to a value of at least 1.
+ automated: yes
rules:
- sysctl_kernel_yama_ptrace_scope
@@ -553,13 +578,19 @@ controls:
title: Disabling unused user accounts
description: >-
Unused user accounts must be disabled at the system level.
- # rules: TBD
+ notes: >-
+ The definition of unused user accounts is broad. It can include accounts
+ whose owners don't use the system anymore, or users created by services
+ or applicatons that should not be used.
+ automated: no
- id: R27
title: Disabling service accounts
level: intermediary
notes: >-
It is difficult to generally identify the system's service accounts.
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ are not enforced by the OS and can be changed over time.
Assisting rules could list users which are not disabled for manual review.
automated: no
@@ -568,7 +599,11 @@ controls:
title: Uniqueness and exclusivity of system service accounts
description: >-
Each service must have its own system account and be dedicated to it exclusively.
- # rules: TBD
+ notes: >-
+ It is not trivial to identify wether a user account is a service account.
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ are not enforced by the OS and can be changed over time.
+ automated: no
- id: R29
level: enhanced
@@ -778,6 +813,7 @@ controls:
description: >-
The syslog services must be isolated from the rest of the system in a
dedicated container.
+ automated: no
# rules: TBD
- id: R46
@@ -825,6 +861,7 @@ controls:
This includes: directories containing executables, libraries,
configuration files, as well as any files that may contain sensitive
elements (cryptographic keys, passwords, confidential data).
+ automated: yes
rules:
- package_aide_installed
- aide_build_database
@@ -851,7 +888,12 @@ controls:
description: >-
The deployed services must have their access restricted to the system
strict minimum, especially when it comes to files, processes or network.
- # rules: TBD
+ notes: >-
+ SELinux policies limit the privileges of services and daemons to only what they require.
+ automated: partially
+ rules:
+ - selinux_policytype
+ - var_selinux_policy_name=targeted
- id: R54
level: enhanced
@@ -859,17 +901,24 @@ controls:
description: >-
Each component supporting the virtualization must be hardened, especially
by applying technical measures to counter the exploit attempts.
- # rules: TBD
+ notes: >-
+ It may be interesting to point out virtulization components that are installed and
+ should be hardened.
+ automated: no
- id: R55
level: intermediary
title: chroot jail and access right for partitioned service
- # rules: TBD
+ notes: >-
+ Automation to restrict access and chroot services is not generally reliable.
+ autmated: no
- id: R56
level: intermediary
title: Enablement and usage of chroot by a service
- # rules: TBD
+ notes: >-
+ Automation to restrict access and chroot services is not generally reliable.
+ automated: no
- id: R57
level: intermediary
@@ -924,7 +973,10 @@ controls:
description: >-
The commands requiring the execution of sub-processes (EXEC tag) must be
explicitly listed and their use should be reduced to a strict minimum.
- # rules: TBD
+ notes: >-
+ Human review is required to assess if the commands requiring EXEC is minimal.
+ An auxiliary rule could list rules containing EXEC tag, for analysis.
+ automated: no
- id: R62
level: intermediary
@@ -944,7 +996,13 @@ controls:
- id: R64
level: intermediary
title: Good use of sudoedit
- # rules: TBD
+ description: A file requiring sudo to be edited, must be edited through the sudoedit command.
+ notes: >-
+ In R62 we established that the sudoers files should not use negations, thus the approach
+ for this requirement is to ensure that sudoedit is the only text editor allowed.
+ But it is difficult to ensure that allowed binaries aren't text editors without human
+ review.
+ automated: no
- id: R65
level: high
@@ -959,6 +1017,7 @@ controls:
description: >-
It is recommended to enable the targeted policy when the distribution
support it and that it does not operate another security module than SELinux.
+ automated: yes
rules:
- selinux_policytype
- var_selinux_policy_name=targeted
From 655c8ab2d778f0826cb9cb9f3052bb5d49fcbbc4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 11 May 2021 17:49:42 +0200
Subject: [PATCH 3/6] Undraft RHEL ANSSI High profiles
---
rhel7/profiles/anssi_nt28_high.profile | 2 +-
rhel8/profiles/anssi_bp28_high.profile | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
index 22efad9c09..560460b55f 100644
--- a/rhel7/profiles/anssi_nt28_high.profile
+++ b/rhel7/profiles/anssi_nt28_high.profile
@@ -1,6 +1,6 @@
documentation_complete: true
-title: 'DRAFT - ANSSI-BP-028 (high)'
+title: 'ANSSI-BP-028 (high)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index 22efad9c09..560460b55f 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -1,6 +1,6 @@
documentation_complete: true
-title: 'DRAFT - ANSSI-BP-028 (high)'
+title: 'ANSSI-BP-028 (high)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
From 227baf32a959a94df241f49016aa23da2917de88 Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Fri, 14 May 2021 10:58:50 +0200
Subject: [PATCH 4/6] Fix typos and improve language
Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
controls/anssi.yml | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 291af65f58..81d099e98b 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -581,7 +581,7 @@ controls:
notes: >-
The definition of unused user accounts is broad. It can include accounts
whose owners don't use the system anymore, or users created by services
- or applicatons that should not be used.
+ or applications that should not be used.
automated: no
- id: R27
@@ -589,7 +589,7 @@ controls:
level: intermediary
notes: >-
It is difficult to generally identify the system's service accounts.
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
are not enforced by the OS and can be changed over time.
Assisting rules could list users which are not disabled for manual review.
automated: no
@@ -600,8 +600,8 @@ controls:
description: >-
Each service must have its own system account and be dedicated to it exclusively.
notes: >-
- It is not trivial to identify wether a user account is a service account.
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ It is not trivial to identify whether a user account is a service account.
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
are not enforced by the OS and can be changed over time.
automated: no
@@ -889,7 +889,7 @@ controls:
The deployed services must have their access restricted to the system
strict minimum, especially when it comes to files, processes or network.
notes: >-
- SELinux policies limit the privileges of services and daemons to only what they require.
+ SELinux policies limit the privileges of services and daemons just to those which are required.
automated: partially
rules:
- selinux_policytype
@@ -902,7 +902,7 @@ controls:
Each component supporting the virtualization must be hardened, especially
by applying technical measures to counter the exploit attempts.
notes: >-
- It may be interesting to point out virtulization components that are installed and
+ It may be interesting to point out virtualization components that are installed and
should be hardened.
automated: no
@@ -910,14 +910,14 @@ controls:
level: intermediary
title: chroot jail and access right for partitioned service
notes: >-
- Automation to restrict access and chroot services is not generally reliable.
- autmated: no
+ Using automation to restrict access and chroot services is not generally reliable.
+ automated: no
- id: R56
level: intermediary
title: Enablement and usage of chroot by a service
notes: >-
- Automation to restrict access and chroot services is not generally reliable.
+ Using automation to restrict access and chroot services is not generally reliable.
automated: no
- id: R57
@@ -974,7 +974,7 @@ controls:
The commands requiring the execution of sub-processes (EXEC tag) must be
explicitly listed and their use should be reduced to a strict minimum.
notes: >-
- Human review is required to assess if the commands requiring EXEC is minimal.
+ Human review is required to assess if the set of commands requiring EXEC is minimal.
An auxiliary rule could list rules containing EXEC tag, for analysis.
automated: no
From 7bf2131e20bcf5a64e21b66afba48008324b058a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 14 May 2021 11:41:30 +0200
Subject: [PATCH 5/6] Update R1 notes and selected rule
---
controls/anssi.yml | 28 +++++++++----------
.../package_xinetd_removed/rule.yml | 1 +
.../nis/package_ypbind_removed/rule.yml | 1 +
.../nis/package_ypserv_removed/rule.yml | 1 +
.../package_rsh-server_removed/rule.yml | 1 +
.../r_services/package_rsh_removed/rule.yml | 1 +
.../talk/package_talk-server_removed/rule.yml | 1 +
.../talk/package_talk_removed/rule.yml | 1 +
.../package_telnet-server_removed/rule.yml | 1 +
.../telnet/package_telnet_removed/rule.yml | 1 +
.../tftp/package_tftp-server_removed/rule.yml | 1 +
.../tftp/package_tftp_removed/rule.yml | 4 +++
shared/references/cce-redhat-avail.txt | 1 -
13 files changed, 28 insertions(+), 15 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 81d099e98b..ebee9c4259 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -19,25 +19,25 @@ controls:
Those whose presence can not be justified should be disabled, removed or deleted.
automated: partially # The list of essential services is not objective.
notes: >-
- Manual review is required to assess if the installed services are minimal.
- In general, use of obsolete or insecure services is not recommended.
Performing a minimal install is a good starting point, but doesn't provide any assurance
over any package installed later.
+ Manual review is required to assess if the installed services are minimal.
+ In general, use of obsolete or insecure services is not recommended and we remove some
+ of these in this recommendation.
rules:
- package_dhcp_removed
- #- package_rsh_removed
- #- package_rsh-server_removed
+ - package_rsh_removed
+ - package_rsh-server_removed
- package_sendmail_removed
- - package_telnetd_removed
- #- package_talk_removed
- #- package_talk-server_removed
- #- package_telnet_removed
- #- package_telnet-server_removed
- #- package_tftp_removed
- #- package_tftp-server_removed
- #- package_xinetd_removed
- #- package_ypbind_removed
- #- package_ypserv_removed
+ - package_talk_removed
+ - package_talk-server_removed
+ - package_telnet_removed
+ - package_telnet-server_removed
+ - package_tftp_removed
+ - package_tftp-server_removed
+ - package_xinetd_removed
+ - package_ypbind_removed
+ - package_ypserv_removed
- id: R2
level: intermediary
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
index e2431be9c5..9494025449 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel8: CCE-80850-1
references:
+ anssi: BP28(R1)
cis@rhel8: 2.1.1
disa: CCI-000305
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
index 97e27e2a4c..e836dc6fb1 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
@@ -24,6 +24,7 @@ identifiers:
cce@rhel8: CCE-82181-9
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.1
cis@rhel8: 2.3.1
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
index ac1d8e6f4c..7ca7a67e69 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
cce@rhel8: CCE-82432-6
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-020010
cis@rhel7: 2.2.16
cis@rhel8: 2.2.17
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
index 21f4d7bae6..33c36cde67 100644
--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
cce@rhel8: CCE-82184-3
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-020000
disa: CCI-000381
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
index c8f4673a3a..dbc6bd7329 100644
--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel8: CCE-82183-5
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.2
cui: 3.1.13
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
index 12971558e9..e46e4f55d0 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel8: CCE-82180-1
references:
+ anssi: BP28(R1)
cis@rhel7: 2.2.18
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
index 68e804ba38..24743fc2d6 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel8: CCE-80848-5
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.3
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
index 7bb5ed5da3..24cf50ff29 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -31,6 +31,7 @@ identifiers:
cce@sle15: CCE-83273-3
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-021710
cis@rhel7: 2.1.19
disa: CCI-000381
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
index 1b0128ec06..afef488734 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
cce@rhel8: CCE-80849-3
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.4
cis@rhel8: 2.3.2
cui: 3.1.13
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
index 3fcc8db4c8..ca25bb2124 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
cce@rhel8: CCE-82436-7
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-040700
disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814
nist: CM-7(a),CM-7(b),CM-6(a)
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
index c3a501259c..0be9a60d38 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
@@ -19,6 +19,10 @@ severity: low
identifiers:
cce@rhel7: CCE-80443-5
+ cce@rhel8: CCE-83590-0
+
+references:
+ anssi: BP28(R1)
ocil: '{{{ describe_package_remove(package="tftp") }}}'
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4c4f8c3aa3..b719186add 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -91,7 +91,6 @@ CCE-83584-3
CCE-83587-6
CCE-83588-4
CCE-83589-2
-CCE-83590-0
CCE-83592-6
CCE-83594-2
CCE-83595-9
From c8124b72c208951b3ac2a4da1f8c64157f6be69b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 14 May 2021 11:43:32 +0200
Subject: [PATCH 6/6] Update R5 notes and rule selection
Note commented rules as related, and potentially useful.
---
controls/anssi.yml | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index ebee9c4259..bba7148da9 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -88,20 +88,22 @@ controls:
automated: partially
notes: >-
Defense in-depth can be broadly divided into three areas - physical, technical and
- administrative. The security profile is best suitedto protect the technical area.
+ administrative. The security profile is best suited to protect the technical area.
Among the barriers that can be implemented within the technical area are antivirus software,
authentication, multi-factor authentication, encryption, logging, auditing, sandboxing,
intrusion detection systems, firewalls and vulnerability scanners.
+ The selection below is not in any way exaustive and should be adapted to the system's needs.
rules:
- #- package_audit_installed
- #- service_auditd_enabled
- sudo_remove_no_authenticate
- package_rsyslog_installed
- service_rsyslog_enabled
- #- package_ntp_installed
- #- package_firewalld_installed
- #- service_firewalld_enabled
- #- sssd_enable_smartcards
+ related_rules:
+ - package_audit_installed
+ - service_auditd_enabled
+ - package_ntp_installed
+ - package_firewalld_installed
+ - service_firewalld_enabled
+ - sssd_enable_smartcards
- id: R6
level: enhanced

View File

@ -1,28 +1,33 @@
# Base name of static rhel6 content tarball # Base name of static rhel6 content tarball
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6 %global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
%global _vpath_builddir build
Name: scap-security-guide Name: scap-security-guide
Version: 0.1.56 Version: 0.1.57
Release: 2%{?dist} Release: 1%{?dist}
Summary: Security guidance and baselines in SCAP formats Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System Group: Applications/System
License: BSD
URL: https://github.com/ComplianceAsCode/content/ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Include tarball with last released rhel6 content # Include tarball with last released rhel6 content
Source1: %{_static_rhel6_content}.tar.bz2 Source1: %{_static_rhel6_content}.tar.bz2
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.57-select_seboolean_rules_for_ANSSI-PR_6988.patch
Patch2: scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch
Patch3: scap-security-guide-0.1.57-update_ANSSI_profiles_metadata-PR_6997.patch
Patch4: scap-security-guide-0.1.57-ansible-playbooks-per-rule-PR_7039.patch
BuildArch: noarch BuildArch: noarch
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
BuildRequires: libxslt
BuildRequires: expat
BuildRequires: openscap-scanner >= 1.2.5
BuildRequires: cmake >= 2.8
# To get python3 inside the buildroot require its path explicitly in BuildRequires # To get python3 inside the buildroot require its path explicitly in BuildRequires
BuildRequires: /usr/bin/python3 BuildRequires: /usr/bin/python3
BuildRequires: libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML BuildRequires: python%{python3_pkgversion}
BuildRequires: python%{python3_pkgversion}-jinja2
BuildRequires: python%{python3_pkgversion}-PyYAML
Requires: xml-common, openscap-scanner >= 1.2.5 Requires: xml-common, openscap-scanner >= 1.2.5
Obsoletes: openscap-content < 0:0.9.13 Obsoletes: openscap-content < 0:0.9.13
Provides: openscap-content Provides: openscap-content
@ -33,11 +38,11 @@ system from the final system's security point of view. The guidance is specified
in the Security Content Automation Protocol (SCAP) format and constitutes in the Security Content Automation Protocol (SCAP) format and constitutes
a catalog of practical hardening advice, linked to government requirements a catalog of practical hardening advice, linked to government requirements
where applicable. The project bridges the gap between generalized policy where applicable. The project bridges the gap between generalized policy
requirements and specific implementation guidelines. The Red Hat Enterprise requirements and specific implementation guidelines. The system
Linux 8 system administrator can use the oscap CLI tool from openscap-scanner administrator can use the oscap CLI tool from openscap-scanner package, or the
package, or the scap-workbench GUI tool from scap-workbench package to verify scap-workbench GUI tool from scap-workbench package to verify that the system
that the system conforms to provided guideline. Refer to scap-security-guide(8) conforms to provided guideline. Refer to scap-security-guide(8) manual page for
manual page for further information. further information.
%package doc %package doc
Summary: HTML formatted security guides generated from XCCDF benchmarks Summary: HTML formatted security guides generated from XCCDF benchmarks
@ -49,7 +54,7 @@ The %{name}-doc package contains HTML formatted documents containing
hardening guidances that have been generated from XCCDF benchmarks hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package. present in %{name} package.
%if %{defined rhel} %if ( %{defined rhel} && (! %{defined centos}) )
%package rule-playbooks %package rule-playbooks
Summary: Ansible playbooks per each rule. Summary: Ansible playbooks per each rule.
Group: System Environment/Base Group: System Environment/Base
@ -60,15 +65,10 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
%endif %endif
%prep %prep
%setup -q -b 1 %autosetup -p1 -b1
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
mkdir build
%build %build
mkdir -p build
cd build cd build
%cmake \ %cmake \
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \ -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
@ -82,15 +82,15 @@ cd build
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
%endif %endif
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \ -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
%if %{defined rhel} %if ( %{defined rhel} && (! %{defined centos}) )
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \ -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
%endif %endif
../ ../
%make_build %cmake_build
%install %install
cd build cd build
%make_install %cmake_install
# Manually install pre-built rhel6 content # Manually install pre-built rhel6 content
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot} cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
@ -106,7 +106,7 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
%doc %{_docdir}/%{name}/LICENSE %doc %{_docdir}/%{name}/LICENSE
%doc %{_docdir}/%{name}/README.md %doc %{_docdir}/%{name}/README.md
%doc %{_docdir}/%{name}/Contributors.md %doc %{_docdir}/%{name}/Contributors.md
%if %{defined rhel} %if ( %{defined rhel} && (! %{defined centos}) )
%exclude %{_datadir}/%{name}/ansible/rule_playbooks %exclude %{_datadir}/%{name}/ansible/rule_playbooks
%endif %endif
@ -114,13 +114,17 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
%doc %{_docdir}/%{name}/guides/*.html %doc %{_docdir}/%{name}/guides/*.html
%doc %{_docdir}/%{name}/tables/*.html %doc %{_docdir}/%{name}/tables/*.html
%if %{defined rhel} %if ( %{defined rhel} && (! %{defined centos}) )
%files rule-playbooks %files rule-playbooks
%defattr(-,root,root,-) %defattr(-,root,root,-)
%{_datadir}/%{name}/ansible/rule_playbooks %{_datadir}/%{name}/ansible/rule_playbooks
%endif %endif
%changelog %changelog
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
- Update to the latest upstream release (RHBZ#1966577)
- Enable the ISM profile.
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2 * Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604) - Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)