Fix a broken HTTP link, add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
Resolves: rhbz#1962564
This commit is contained in:
parent
c9032c1d61
commit
bd64402d52
702
scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch
Normal file
702
scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch
Normal file
@ -0,0 +1,702 @@
|
|||||||
|
From 7901659fa169db8ac5ffd7c610a798c785a3556b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 9 Jul 2021 14:41:03 +0200
|
||||||
|
Subject: [PATCH 01/12] ensure that higher policy levels can override variables
|
||||||
|
of lower levels
|
||||||
|
|
||||||
|
---
|
||||||
|
ssg/controls.py | 13 ++++++++++---
|
||||||
|
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssg/controls.py b/ssg/controls.py
|
||||||
|
index 297d80e46c5..165cdf0511a 100644
|
||||||
|
--- a/ssg/controls.py
|
||||||
|
+++ b/ssg/controls.py
|
||||||
|
@@ -202,9 +202,16 @@ def get_all_controls_of_level(self, policy_id, level_id):
|
||||||
|
|
||||||
|
all_policy_controls = self.get_all_controls(policy_id)
|
||||||
|
eligible_controls = []
|
||||||
|
- for c in all_policy_controls:
|
||||||
|
- if len(level_ids.intersection(c.levels)) > 0:
|
||||||
|
- eligible_controls.append(c)
|
||||||
|
+ defined_variables = []
|
||||||
|
+ # we will go level by level, from top to bottom
|
||||||
|
+ # this is done to enable overriding of variables by higher levels
|
||||||
|
+ for lv in level_ids:
|
||||||
|
+ for c in all_policy_controls:
|
||||||
|
+ if lv in c.levels:
|
||||||
|
+ # if the control has a variable, check if it is not already defined
|
||||||
|
+ if c.variables.keys().isdisjoint(defined_variables):
|
||||||
|
+ eligible_controls.append(c)
|
||||||
|
+ defined_variables += [*c.variables.keys()]
|
||||||
|
return eligible_controls
|
||||||
|
|
||||||
|
def get_all_controls(self, policy_id):
|
||||||
|
|
||||||
|
From 66e612a9668009cc553fcf1abbf2c9477155c0c2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Thu, 5 Aug 2021 14:02:25 +0200
|
||||||
|
Subject: [PATCH 02/12] use ordered sets emulated by ordereddict
|
||||||
|
|
||||||
|
because of compatibility with python2
|
||||||
|
---
|
||||||
|
ssg/controls.py | 21 ++++++++++++++-------
|
||||||
|
1 file changed, 14 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssg/controls.py b/ssg/controls.py
|
||||||
|
index 165cdf0511a..611a647e125 100644
|
||||||
|
--- a/ssg/controls.py
|
||||||
|
+++ b/ssg/controls.py
|
||||||
|
@@ -2,6 +2,7 @@
|
||||||
|
import logging
|
||||||
|
import os
|
||||||
|
from glob import glob
|
||||||
|
+from collections import OrderedDict
|
||||||
|
|
||||||
|
import ssg.build_yaml
|
||||||
|
import ssg.yaml
|
||||||
|
@@ -152,16 +153,18 @@ def get_level(self, level_id):
|
||||||
|
raise ValueError(msg)
|
||||||
|
|
||||||
|
def get_level_with_ancestors(self, level_id):
|
||||||
|
- levels = set()
|
||||||
|
+ # use OrderedDict for Python2 compatibility instead of ordered set
|
||||||
|
+ levels = OrderedDict()
|
||||||
|
level = self.get_level(level_id)
|
||||||
|
- levels.add(level)
|
||||||
|
+ levels[level] = ""
|
||||||
|
if level.inherits_from:
|
||||||
|
for lv in level.inherits_from:
|
||||||
|
- levels.update(self.get_level_with_ancestors(lv))
|
||||||
|
+ eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()]
|
||||||
|
+ for l in eligible_levels:
|
||||||
|
+ levels[l] = ""
|
||||||
|
return levels
|
||||||
|
|
||||||
|
|
||||||
|
-
|
||||||
|
class ControlsManager():
|
||||||
|
def __init__(self, controls_dir, env_yaml=None):
|
||||||
|
self.controls_dir = os.path.abspath(controls_dir)
|
||||||
|
@@ -198,20 +201,24 @@ def _get_policy(self, policy_id):
|
||||||
|
def get_all_controls_of_level(self, policy_id, level_id):
|
||||||
|
policy = self._get_policy(policy_id)
|
||||||
|
levels = policy.get_level_with_ancestors(level_id)
|
||||||
|
- level_ids = set([lv.id for lv in levels])
|
||||||
|
+ # we use OrderedDict here with empty values instead of ordered set
|
||||||
|
+ # cause we want to be compatible with python 2
|
||||||
|
+ level_ids = OrderedDict()
|
||||||
|
+ for lv in levels.keys():
|
||||||
|
+ level_ids[lv.id] = ""
|
||||||
|
|
||||||
|
all_policy_controls = self.get_all_controls(policy_id)
|
||||||
|
eligible_controls = []
|
||||||
|
defined_variables = []
|
||||||
|
# we will go level by level, from top to bottom
|
||||||
|
# this is done to enable overriding of variables by higher levels
|
||||||
|
- for lv in level_ids:
|
||||||
|
+ for lv in level_ids.keys():
|
||||||
|
for c in all_policy_controls:
|
||||||
|
if lv in c.levels:
|
||||||
|
# if the control has a variable, check if it is not already defined
|
||||||
|
if c.variables.keys().isdisjoint(defined_variables):
|
||||||
|
eligible_controls.append(c)
|
||||||
|
- defined_variables += [*c.variables.keys()]
|
||||||
|
+ defined_variables += list(c.variables.keys())
|
||||||
|
return eligible_controls
|
||||||
|
|
||||||
|
def get_all_controls(self, policy_id):
|
||||||
|
|
||||||
|
From 95a23a31293a0a63361ddf1831866cd5ae1ab61e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Thu, 5 Aug 2021 16:30:10 +0200
|
||||||
|
Subject: [PATCH 03/12] rework handling of variables when returning all
|
||||||
|
controls of a level
|
||||||
|
|
||||||
|
currently only the top most level variables are kept in the controls
|
||||||
|
if there is a control with lower level which has the same variable defined, it is deep copied and the variable definition is removed only from the resulting control
|
||||||
|
the original control stays in tact
|
||||||
|
---
|
||||||
|
ssg/controls.py | 27 +++++++++++++++++++++------
|
||||||
|
1 file changed, 21 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssg/controls.py b/ssg/controls.py
|
||||||
|
index 611a647e125..4ebb8bda3d7 100644
|
||||||
|
--- a/ssg/controls.py
|
||||||
|
+++ b/ssg/controls.py
|
||||||
|
@@ -1,8 +1,8 @@
|
||||||
|
import collections
|
||||||
|
import logging
|
||||||
|
import os
|
||||||
|
+import copy
|
||||||
|
from glob import glob
|
||||||
|
-from collections import OrderedDict
|
||||||
|
|
||||||
|
import ssg.build_yaml
|
||||||
|
import ssg.yaml
|
||||||
|
@@ -154,7 +154,7 @@ def get_level(self, level_id):
|
||||||
|
|
||||||
|
def get_level_with_ancestors(self, level_id):
|
||||||
|
# use OrderedDict for Python2 compatibility instead of ordered set
|
||||||
|
- levels = OrderedDict()
|
||||||
|
+ levels = collections.OrderedDict()
|
||||||
|
level = self.get_level(level_id)
|
||||||
|
levels[level] = ""
|
||||||
|
if level.inherits_from:
|
||||||
|
@@ -201,24 +201,39 @@ def _get_policy(self, policy_id):
|
||||||
|
def get_all_controls_of_level(self, policy_id, level_id):
|
||||||
|
policy = self._get_policy(policy_id)
|
||||||
|
levels = policy.get_level_with_ancestors(level_id)
|
||||||
|
+ print ("getting levels of " + level_id)
|
||||||
|
+ print ([ l.id for l in levels.keys()])
|
||||||
|
# we use OrderedDict here with empty values instead of ordered set
|
||||||
|
# cause we want to be compatible with python 2
|
||||||
|
- level_ids = OrderedDict()
|
||||||
|
+ level_ids = collections.OrderedDict()
|
||||||
|
for lv in levels.keys():
|
||||||
|
level_ids[lv.id] = ""
|
||||||
|
-
|
||||||
|
+ print (level_ids.keys())
|
||||||
|
all_policy_controls = self.get_all_controls(policy_id)
|
||||||
|
eligible_controls = []
|
||||||
|
defined_variables = []
|
||||||
|
# we will go level by level, from top to bottom
|
||||||
|
# this is done to enable overriding of variables by higher levels
|
||||||
|
for lv in level_ids.keys():
|
||||||
|
+ print ("going through level " +lv)
|
||||||
|
for c in all_policy_controls:
|
||||||
|
+ print (c.levels)
|
||||||
|
if lv in c.levels:
|
||||||
|
# if the control has a variable, check if it is not already defined
|
||||||
|
- if c.variables.keys().isdisjoint(defined_variables):
|
||||||
|
+ variables = list(c.variables.keys())
|
||||||
|
+ if len(variables) == 0:
|
||||||
|
eligible_controls.append(c)
|
||||||
|
- defined_variables += list(c.variables.keys())
|
||||||
|
+ for var in variables:
|
||||||
|
+ if var in defined_variables:
|
||||||
|
+ # if it is, create new instance of the control and remove the variable
|
||||||
|
+ # we are going from the top level to the bottom
|
||||||
|
+ # so we don't want to overwrite variables
|
||||||
|
+ new_c = copy.deepcopy(c)
|
||||||
|
+ del new_c.variables[var]
|
||||||
|
+ eligible_controls.append(new_c)
|
||||||
|
+ else:
|
||||||
|
+ defined_variables.append(var)
|
||||||
|
+ eligible_controls.append(c)
|
||||||
|
return eligible_controls
|
||||||
|
|
||||||
|
def get_all_controls(self, policy_id):
|
||||||
|
|
||||||
|
From a2dd7e9386c757a523b57646bdc5a9ffa99f68c5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Thu, 5 Aug 2021 16:31:25 +0200
|
||||||
|
Subject: [PATCH 04/12] add tests for defining of variables
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/unit/ssg-module/data/controls_dir/abcd-levels.yml | 6 ++++++
|
||||||
|
tests/unit/ssg-module/test_controls.py | 5 +++++
|
||||||
|
2 files changed, 11 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||||
|
index aded77c12a6..b98a7cd4e19 100644
|
||||||
|
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||||
|
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||||
|
@@ -19,10 +19,14 @@ controls:
|
||||||
|
- id: S2
|
||||||
|
levels:
|
||||||
|
- low
|
||||||
|
+ rules:
|
||||||
|
+ - var_password_pam_minlen=1
|
||||||
|
|
||||||
|
- id: S3
|
||||||
|
levels:
|
||||||
|
- medium
|
||||||
|
+ rules:
|
||||||
|
+ - var_password_pam_minlen=2
|
||||||
|
|
||||||
|
- id: S4
|
||||||
|
title: Configure authentication
|
||||||
|
@@ -36,3 +40,5 @@ controls:
|
||||||
|
title: Enforce password quality standards
|
||||||
|
levels:
|
||||||
|
- high
|
||||||
|
+ rules:
|
||||||
|
+ - var_password_pam_minlen=3
|
||||||
|
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
|
||||||
|
index ff9b04f26c9..06fcb0c375d 100644
|
||||||
|
--- a/tests/unit/ssg-module/test_controls.py
|
||||||
|
+++ b/tests/unit/ssg-module/test_controls.py
|
||||||
|
@@ -87,6 +87,11 @@ def test_controls_levels():
|
||||||
|
assert len(low_controls) == 4
|
||||||
|
assert len(medium_controls) == 5
|
||||||
|
|
||||||
|
+ # test overriding of variables in levels
|
||||||
|
+ assert c_2.variables["var_password_pam_minlen"] == "1"
|
||||||
|
+ assert c_3.variables["var_password_pam_minlen"] == "2"
|
||||||
|
+ assert c_4b.variables["var_password_pam_minlen"] == "3"
|
||||||
|
+
|
||||||
|
|
||||||
|
def test_controls_load_product():
|
||||||
|
ssg_root = \
|
||||||
|
|
||||||
|
From 82b90a9720dadab7d6060f0ccbcd902b1c097904 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 6 Aug 2021 09:30:47 +0200
|
||||||
|
Subject: [PATCH 05/12] make overriding of variables optional
|
||||||
|
|
||||||
|
---
|
||||||
|
ssg/controls.py | 38 +++++++++++++++++++-------------------
|
||||||
|
1 file changed, 19 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssg/controls.py b/ssg/controls.py
|
||||||
|
index 4ebb8bda3d7..90639fbe4c7 100644
|
||||||
|
--- a/ssg/controls.py
|
||||||
|
+++ b/ssg/controls.py
|
||||||
|
@@ -198,42 +198,42 @@ def _get_policy(self, policy_id):
|
||||||
|
raise ValueError(msg)
|
||||||
|
return policy
|
||||||
|
|
||||||
|
- def get_all_controls_of_level(self, policy_id, level_id):
|
||||||
|
+ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
|
||||||
|
+ # if override_vars is enabled, then variables from higher levels will
|
||||||
|
+ # override variables efined in controls of lower levels
|
||||||
|
policy = self._get_policy(policy_id)
|
||||||
|
levels = policy.get_level_with_ancestors(level_id)
|
||||||
|
- print ("getting levels of " + level_id)
|
||||||
|
- print ([ l.id for l in levels.keys()])
|
||||||
|
# we use OrderedDict here with empty values instead of ordered set
|
||||||
|
# cause we want to be compatible with python 2
|
||||||
|
level_ids = collections.OrderedDict()
|
||||||
|
for lv in levels.keys():
|
||||||
|
level_ids[lv.id] = ""
|
||||||
|
- print (level_ids.keys())
|
||||||
|
all_policy_controls = self.get_all_controls(policy_id)
|
||||||
|
eligible_controls = []
|
||||||
|
defined_variables = []
|
||||||
|
# we will go level by level, from top to bottom
|
||||||
|
# this is done to enable overriding of variables by higher levels
|
||||||
|
for lv in level_ids.keys():
|
||||||
|
- print ("going through level " +lv)
|
||||||
|
for c in all_policy_controls:
|
||||||
|
- print (c.levels)
|
||||||
|
if lv in c.levels:
|
||||||
|
- # if the control has a variable, check if it is not already defined
|
||||||
|
- variables = list(c.variables.keys())
|
||||||
|
- if len(variables) == 0:
|
||||||
|
+ if override_vars == False:
|
||||||
|
eligible_controls.append(c)
|
||||||
|
- for var in variables:
|
||||||
|
- if var in defined_variables:
|
||||||
|
- # if it is, create new instance of the control and remove the variable
|
||||||
|
- # we are going from the top level to the bottom
|
||||||
|
- # so we don't want to overwrite variables
|
||||||
|
- new_c = copy.deepcopy(c)
|
||||||
|
- del new_c.variables[var]
|
||||||
|
- eligible_controls.append(new_c)
|
||||||
|
- else:
|
||||||
|
- defined_variables.append(var)
|
||||||
|
+ else:
|
||||||
|
+ # if the control has a variable, check if it is not already defined
|
||||||
|
+ variables = list(c.variables.keys())
|
||||||
|
+ if len(variables) == 0:
|
||||||
|
eligible_controls.append(c)
|
||||||
|
+ for var in variables:
|
||||||
|
+ if var in defined_variables:
|
||||||
|
+ # if it is, create new instance of the control and remove the variable
|
||||||
|
+ # we are going from the top level to the bottom
|
||||||
|
+ # so we don't want to overwrite variables
|
||||||
|
+ new_c = copy.deepcopy(c)
|
||||||
|
+ del new_c.variables[var]
|
||||||
|
+ eligible_controls.append(new_c)
|
||||||
|
+ else:
|
||||||
|
+ defined_variables.append(var)
|
||||||
|
+ eligible_controls.append(c)
|
||||||
|
return eligible_controls
|
||||||
|
|
||||||
|
def get_all_controls(self, policy_id):
|
||||||
|
|
||||||
|
From 47df80d086e96deb4eab88d5f813bffb380006a8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 11 Aug 2021 12:38:42 +0200
|
||||||
|
Subject: [PATCH 06/12] fix a typo
|
||||||
|
|
||||||
|
---
|
||||||
|
ssg/controls.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ssg/controls.py b/ssg/controls.py
|
||||||
|
index 90639fbe4c7..10a304bf8c2 100644
|
||||||
|
--- a/ssg/controls.py
|
||||||
|
+++ b/ssg/controls.py
|
||||||
|
@@ -200,7 +200,7 @@ def _get_policy(self, policy_id):
|
||||||
|
|
||||||
|
def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
|
||||||
|
# if override_vars is enabled, then variables from higher levels will
|
||||||
|
- # override variables efined in controls of lower levels
|
||||||
|
+ # override variables defined in controls of lower levels
|
||||||
|
policy = self._get_policy(policy_id)
|
||||||
|
levels = policy.get_level_with_ancestors(level_id)
|
||||||
|
# we use OrderedDict here with empty values instead of ordered set
|
||||||
|
|
||||||
|
From 8e59037ed07aad33a55e8297ee5bce0f51c0dee6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 11 Aug 2021 17:02:11 +0200
|
||||||
|
Subject: [PATCH 07/12] update tests to check that overriding of variables
|
||||||
|
works
|
||||||
|
|
||||||
|
---
|
||||||
|
.../ssg-module/data/controls_dir/abcd-levels.yml | 4 +---
|
||||||
|
tests/unit/ssg-module/test_controls.py | 16 ++++++++++++++--
|
||||||
|
2 files changed, 15 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||||
|
index b98a7cd4e19..99efafd832e 100644
|
||||||
|
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||||
|
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||||
|
@@ -25,8 +25,6 @@ controls:
|
||||||
|
- id: S3
|
||||||
|
levels:
|
||||||
|
- medium
|
||||||
|
- rules:
|
||||||
|
- - var_password_pam_minlen=2
|
||||||
|
|
||||||
|
- id: S4
|
||||||
|
title: Configure authentication
|
||||||
|
@@ -41,4 +39,4 @@ controls:
|
||||||
|
levels:
|
||||||
|
- high
|
||||||
|
rules:
|
||||||
|
- - var_password_pam_minlen=3
|
||||||
|
+ - var_password_pam_minlen=2
|
||||||
|
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
|
||||||
|
index 06fcb0c375d..124b344d141 100644
|
||||||
|
--- a/tests/unit/ssg-module/test_controls.py
|
||||||
|
+++ b/tests/unit/ssg-module/test_controls.py
|
||||||
|
@@ -89,8 +89,20 @@ def test_controls_levels():
|
||||||
|
|
||||||
|
# test overriding of variables in levels
|
||||||
|
assert c_2.variables["var_password_pam_minlen"] == "1"
|
||||||
|
- assert c_3.variables["var_password_pam_minlen"] == "2"
|
||||||
|
- assert c_4b.variables["var_password_pam_minlen"] == "3"
|
||||||
|
+ assert "var_password_pam_minlen" not in c_3.variables.keys()
|
||||||
|
+ assert c_4b.variables["var_password_pam_minlen"] == "2"
|
||||||
|
+
|
||||||
|
+ for c in low_controls:
|
||||||
|
+ if "var_password_pam_minlen" in c.variables.keys():
|
||||||
|
+ assert c.variables["var_password_pam_minlen"] == "1"
|
||||||
|
+
|
||||||
|
+ for c in medium_controls:
|
||||||
|
+ if "var_password_pam_minlen" in c.variables.keys():
|
||||||
|
+ assert c.variables["var_password_pam_minlen"] == "1"
|
||||||
|
+
|
||||||
|
+ for c in high_controls:
|
||||||
|
+ if "var_password_pam_minlen" in c.variables.keys():
|
||||||
|
+ assert c.variables["var_password_pam_minlen"] == "2"
|
||||||
|
|
||||||
|
|
||||||
|
def test_controls_load_product():
|
||||||
|
|
||||||
|
From dae4fc52a627eac6595bb73e3ffb1a0c50e78fdd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 11 Aug 2021 17:02:32 +0200
|
||||||
|
Subject: [PATCH 08/12] make overriding of variables hardcoded when requesting
|
||||||
|
controls of a certain level
|
||||||
|
|
||||||
|
---
|
||||||
|
ssg/controls.py | 34 +++++++++++++++-------------------
|
||||||
|
1 file changed, 15 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssg/controls.py b/ssg/controls.py
|
||||||
|
index 10a304bf8c2..7923f0cb379 100644
|
||||||
|
--- a/ssg/controls.py
|
||||||
|
+++ b/ssg/controls.py
|
||||||
|
@@ -198,9 +198,7 @@ def _get_policy(self, policy_id):
|
||||||
|
raise ValueError(msg)
|
||||||
|
return policy
|
||||||
|
|
||||||
|
- def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
|
||||||
|
- # if override_vars is enabled, then variables from higher levels will
|
||||||
|
- # override variables defined in controls of lower levels
|
||||||
|
+ def get_all_controls_of_level(self, policy_id, level_id):
|
||||||
|
policy = self._get_policy(policy_id)
|
||||||
|
levels = policy.get_level_with_ancestors(level_id)
|
||||||
|
# we use OrderedDict here with empty values instead of ordered set
|
||||||
|
@@ -216,24 +214,22 @@ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
|
||||||
|
for lv in level_ids.keys():
|
||||||
|
for c in all_policy_controls:
|
||||||
|
if lv in c.levels:
|
||||||
|
- if override_vars == False:
|
||||||
|
+ # if the control has a variable, check if it is not already defined
|
||||||
|
+ variables = list(c.variables.keys())
|
||||||
|
+ if len(variables) == 0:
|
||||||
|
eligible_controls.append(c)
|
||||||
|
- else:
|
||||||
|
- # if the control has a variable, check if it is not already defined
|
||||||
|
- variables = list(c.variables.keys())
|
||||||
|
- if len(variables) == 0:
|
||||||
|
+ continue
|
||||||
|
+ for var in variables:
|
||||||
|
+ if var in defined_variables:
|
||||||
|
+ # if it is, create new instance of the control and remove the variable
|
||||||
|
+ # we are going from the top level to the bottom
|
||||||
|
+ # so we don't want to overwrite variables
|
||||||
|
+ new_c = copy.deepcopy(c)
|
||||||
|
+ del new_c.variables[var]
|
||||||
|
+ eligible_controls.append(new_c)
|
||||||
|
+ else:
|
||||||
|
+ defined_variables.append(var)
|
||||||
|
eligible_controls.append(c)
|
||||||
|
- for var in variables:
|
||||||
|
- if var in defined_variables:
|
||||||
|
- # if it is, create new instance of the control and remove the variable
|
||||||
|
- # we are going from the top level to the bottom
|
||||||
|
- # so we don't want to overwrite variables
|
||||||
|
- new_c = copy.deepcopy(c)
|
||||||
|
- del new_c.variables[var]
|
||||||
|
- eligible_controls.append(new_c)
|
||||||
|
- else:
|
||||||
|
- defined_variables.append(var)
|
||||||
|
- eligible_controls.append(c)
|
||||||
|
return eligible_controls
|
||||||
|
|
||||||
|
def get_all_controls(self, policy_id):
|
||||||
|
|
||||||
|
From c051e11c70b7e23ce3d4a8e0670da4fae72833c6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Thu, 12 Aug 2021 15:30:39 +0200
|
||||||
|
Subject: [PATCH 09/12] get rid of one ordereddict
|
||||||
|
|
||||||
|
---
|
||||||
|
ssg/controls.py | 9 ++-------
|
||||||
|
1 file changed, 2 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssg/controls.py b/ssg/controls.py
|
||||||
|
index 7923f0cb379..891b13c891c 100644
|
||||||
|
--- a/ssg/controls.py
|
||||||
|
+++ b/ssg/controls.py
|
||||||
|
@@ -201,19 +201,14 @@ def _get_policy(self, policy_id):
|
||||||
|
def get_all_controls_of_level(self, policy_id, level_id):
|
||||||
|
policy = self._get_policy(policy_id)
|
||||||
|
levels = policy.get_level_with_ancestors(level_id)
|
||||||
|
- # we use OrderedDict here with empty values instead of ordered set
|
||||||
|
- # cause we want to be compatible with python 2
|
||||||
|
- level_ids = collections.OrderedDict()
|
||||||
|
- for lv in levels.keys():
|
||||||
|
- level_ids[lv.id] = ""
|
||||||
|
all_policy_controls = self.get_all_controls(policy_id)
|
||||||
|
eligible_controls = []
|
||||||
|
defined_variables = []
|
||||||
|
# we will go level by level, from top to bottom
|
||||||
|
# this is done to enable overriding of variables by higher levels
|
||||||
|
- for lv in level_ids.keys():
|
||||||
|
+ for lv in levels.keys():
|
||||||
|
for c in all_policy_controls:
|
||||||
|
- if lv in c.levels:
|
||||||
|
+ if lv.id in c.levels:
|
||||||
|
# if the control has a variable, check if it is not already defined
|
||||||
|
variables = list(c.variables.keys())
|
||||||
|
if len(variables) == 0:
|
||||||
|
|
||||||
|
From 4dd5cb1326932cf020785a8c2472998eb2e7775e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Thu, 12 Aug 2021 16:44:57 +0200
|
||||||
|
Subject: [PATCH 10/12] fix overriding of variables
|
||||||
|
|
||||||
|
when there were multiple variables overridden, it caused problems by creating multiple copies of controls
|
||||||
|
---
|
||||||
|
ssg/controls.py | 16 +++++++++-------
|
||||||
|
1 file changed, 9 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssg/controls.py b/ssg/controls.py
|
||||||
|
index 891b13c891c..8b69676313c 100644
|
||||||
|
--- a/ssg/controls.py
|
||||||
|
+++ b/ssg/controls.py
|
||||||
|
@@ -214,17 +214,19 @@ def get_all_controls_of_level(self, policy_id, level_id):
|
||||||
|
if len(variables) == 0:
|
||||||
|
eligible_controls.append(c)
|
||||||
|
continue
|
||||||
|
+ variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control
|
||||||
|
for var in variables:
|
||||||
|
if var in defined_variables:
|
||||||
|
- # if it is, create new instance of the control and remove the variable
|
||||||
|
- # we are going from the top level to the bottom
|
||||||
|
- # so we don't want to overwrite variables
|
||||||
|
- new_c = copy.deepcopy(c)
|
||||||
|
- del new_c.variables[var]
|
||||||
|
- eligible_controls.append(new_c)
|
||||||
|
+ variables_to_remove.append(var)
|
||||||
|
else:
|
||||||
|
defined_variables.append(var)
|
||||||
|
- eligible_controls.append(c)
|
||||||
|
+ if len(variables_to_remove) == 0:
|
||||||
|
+ eligible_controls.append(c)
|
||||||
|
+ else:
|
||||||
|
+ new_c = copy.deepcopy(c)
|
||||||
|
+ for var in variables_to_remove:
|
||||||
|
+ del new_c.variables[var]
|
||||||
|
+ eligible_controls.append(new_c)
|
||||||
|
return eligible_controls
|
||||||
|
|
||||||
|
def get_all_controls(self, policy_id):
|
||||||
|
|
||||||
|
From fbebba524cab090bc4c2f92b75257a7cc881ef5e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Thu, 12 Aug 2021 16:45:38 +0200
|
||||||
|
Subject: [PATCH 11/12] extended tests to test for multiple overridden
|
||||||
|
variables
|
||||||
|
|
||||||
|
---
|
||||||
|
.../data/controls_dir/abcd-levels.yml | 2 ++
|
||||||
|
tests/unit/ssg-module/test_controls.py | 19 +++++++++++++++++++
|
||||||
|
2 files changed, 21 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||||
|
index 99efafd832e..2e60ec43532 100644
|
||||||
|
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||||
|
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
||||||
|
@@ -21,6 +21,7 @@ controls:
|
||||||
|
- low
|
||||||
|
rules:
|
||||||
|
- var_password_pam_minlen=1
|
||||||
|
+ - var_some_variable=1
|
||||||
|
|
||||||
|
- id: S3
|
||||||
|
levels:
|
||||||
|
@@ -40,3 +41,4 @@ controls:
|
||||||
|
- high
|
||||||
|
rules:
|
||||||
|
- var_password_pam_minlen=2
|
||||||
|
+ - var_some_variable=3
|
||||||
|
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
|
||||||
|
index 124b344d141..1465661b04a 100644
|
||||||
|
--- a/tests/unit/ssg-module/test_controls.py
|
||||||
|
+++ b/tests/unit/ssg-module/test_controls.py
|
||||||
|
@@ -104,6 +104,25 @@ def test_controls_levels():
|
||||||
|
if "var_password_pam_minlen" in c.variables.keys():
|
||||||
|
assert c.variables["var_password_pam_minlen"] == "2"
|
||||||
|
|
||||||
|
+ # now test if controls of lower level has the variable definition correctly removed
|
||||||
|
+ # because it is overriden by higher level controls
|
||||||
|
+ s2_high = [c for c in high_controls if c.id == "S2"]
|
||||||
|
+ assert len(s2_high) == 1
|
||||||
|
+ assert "var_some_variable" not in s2_high[0].variables.keys()
|
||||||
|
+ assert "var_password_pam_minlen" not in s2_high[0].variables.keys()
|
||||||
|
+ s4b_high = [c for c in high_controls if c.id == "S4.b"]
|
||||||
|
+ assert len(s4b_high) == 1
|
||||||
|
+ assert s4b_high[0].variables["var_some_variable"] == "3"
|
||||||
|
+ assert s4b_high[0].variables["var_password_pam_minlen"] == "2"
|
||||||
|
+
|
||||||
|
+ # check that in low level the variable is correctly placed there in S2
|
||||||
|
+ s2_low = [c for c in low_controls if c.id == "S2"]
|
||||||
|
+ assert len(s2_low) == 1
|
||||||
|
+ assert s2_low[0].variables["var_some_variable"] == "1"
|
||||||
|
+ assert s2_low[0].variables["var_password_pam_minlen"] == "1"
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
|
||||||
|
def test_controls_load_product():
|
||||||
|
ssg_root = \
|
||||||
|
|
||||||
|
From 369de6b8374084d9d607979b712285912dbb65aa Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matej Tyc <matyc@redhat.com>
|
||||||
|
Date: Mon, 16 Aug 2021 10:39:22 +0200
|
||||||
|
Subject: [PATCH 12/12] Style improvements
|
||||||
|
|
||||||
|
- Renamed get_level_with_ancestors to get_level_with_ancestors_sequence,
|
||||||
|
and made it return a list - a dictionary result is quite confusing.
|
||||||
|
- Removed some optimization in the variable deletion loops.
|
||||||
|
- Extracted functionality to a _get_control_without_variables static
|
||||||
|
method.
|
||||||
|
- Defined variable removal steps using set operations.
|
||||||
|
---
|
||||||
|
ssg/controls.py | 54 +++++++++++++++++++++++++------------------------
|
||||||
|
1 file changed, 28 insertions(+), 26 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssg/controls.py b/ssg/controls.py
|
||||||
|
index 8b69676313c..ca3187d5b16 100644
|
||||||
|
--- a/ssg/controls.py
|
||||||
|
+++ b/ssg/controls.py
|
||||||
|
@@ -152,17 +152,17 @@ def get_level(self, level_id):
|
||||||
|
)
|
||||||
|
raise ValueError(msg)
|
||||||
|
|
||||||
|
- def get_level_with_ancestors(self, level_id):
|
||||||
|
+ def get_level_with_ancestors_sequence(self, level_id):
|
||||||
|
# use OrderedDict for Python2 compatibility instead of ordered set
|
||||||
|
levels = collections.OrderedDict()
|
||||||
|
level = self.get_level(level_id)
|
||||||
|
levels[level] = ""
|
||||||
|
if level.inherits_from:
|
||||||
|
for lv in level.inherits_from:
|
||||||
|
- eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()]
|
||||||
|
+ eligible_levels = [l for l in self.get_level_with_ancestors_sequence(lv) if l not in levels.keys()]
|
||||||
|
for l in eligible_levels:
|
||||||
|
levels[l] = ""
|
||||||
|
- return levels
|
||||||
|
+ return list(levels.keys())
|
||||||
|
|
||||||
|
|
||||||
|
class ControlsManager():
|
||||||
|
@@ -200,35 +200,37 @@ def _get_policy(self, policy_id):
|
||||||
|
|
||||||
|
def get_all_controls_of_level(self, policy_id, level_id):
|
||||||
|
policy = self._get_policy(policy_id)
|
||||||
|
- levels = policy.get_level_with_ancestors(level_id)
|
||||||
|
+ levels = policy.get_level_with_ancestors_sequence(level_id)
|
||||||
|
all_policy_controls = self.get_all_controls(policy_id)
|
||||||
|
eligible_controls = []
|
||||||
|
- defined_variables = []
|
||||||
|
+ already_defined_variables = set()
|
||||||
|
# we will go level by level, from top to bottom
|
||||||
|
# this is done to enable overriding of variables by higher levels
|
||||||
|
- for lv in levels.keys():
|
||||||
|
- for c in all_policy_controls:
|
||||||
|
- if lv.id in c.levels:
|
||||||
|
- # if the control has a variable, check if it is not already defined
|
||||||
|
- variables = list(c.variables.keys())
|
||||||
|
- if len(variables) == 0:
|
||||||
|
- eligible_controls.append(c)
|
||||||
|
- continue
|
||||||
|
- variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control
|
||||||
|
- for var in variables:
|
||||||
|
- if var in defined_variables:
|
||||||
|
- variables_to_remove.append(var)
|
||||||
|
- else:
|
||||||
|
- defined_variables.append(var)
|
||||||
|
- if len(variables_to_remove) == 0:
|
||||||
|
- eligible_controls.append(c)
|
||||||
|
- else:
|
||||||
|
- new_c = copy.deepcopy(c)
|
||||||
|
- for var in variables_to_remove:
|
||||||
|
- del new_c.variables[var]
|
||||||
|
- eligible_controls.append(new_c)
|
||||||
|
+ for lv in levels:
|
||||||
|
+ for control in all_policy_controls:
|
||||||
|
+ if lv.id not in control.levels:
|
||||||
|
+ continue
|
||||||
|
+
|
||||||
|
+ variables = set(control.variables.keys())
|
||||||
|
+
|
||||||
|
+ variables_to_remove = variables.intersection(already_defined_variables)
|
||||||
|
+ already_defined_variables.update(variables)
|
||||||
|
+
|
||||||
|
+ new_c = self._get_control_without_variables(variables_to_remove, control)
|
||||||
|
+ eligible_controls.append(new_c)
|
||||||
|
+
|
||||||
|
return eligible_controls
|
||||||
|
|
||||||
|
+ @staticmethod
|
||||||
|
+ def _get_control_without_variables(variables_to_remove, control):
|
||||||
|
+ if not variables_to_remove:
|
||||||
|
+ return control
|
||||||
|
+
|
||||||
|
+ new_c = copy.deepcopy(control)
|
||||||
|
+ for var in variables_to_remove:
|
||||||
|
+ del new_c.variables[var]
|
||||||
|
+ return new_c
|
||||||
|
+
|
||||||
|
def get_all_controls(self, policy_id):
|
||||||
|
policy = self._get_policy(policy_id)
|
||||||
|
return policy.controls_by_id.values()
|
5333
scap-security-guide-0.1.58-cis_def-PR_6976.patch
Normal file
5333
scap-security-guide-0.1.58-cis_def-PR_6976.patch
Normal file
File diff suppressed because it is too large
Load Diff
160
scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch
Normal file
160
scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch
Normal file
@ -0,0 +1,160 @@
|
|||||||
|
From ac416fb6b73135b6fdeae850740ca4e10ad9fa1e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Wed, 18 Aug 2021 15:16:59 +0200
|
||||||
|
Subject: [PATCH] Fix RHEL7 documentation links.
|
||||||
|
|
||||||
|
---
|
||||||
|
linux_os/guide/services/ldap/openldap_client/group.yml | 2 +-
|
||||||
|
linux_os/guide/services/ldap/openldap_server/group.yml | 2 +-
|
||||||
|
.../ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml | 2 +-
|
||||||
|
.../ntp/chronyd_or_ntpd_specify_remote_server/rule.yml | 2 +-
|
||||||
|
linux_os/guide/services/ntp/group.yml | 2 +-
|
||||||
|
.../services/ntp/service_chronyd_or_ntpd_enabled/rule.yml | 2 +-
|
||||||
|
linux_os/guide/services/sssd/group.yml | 2 +-
|
||||||
|
.../screen_locking/smart_card_login/smartcard_auth/rule.yml | 4 +---
|
||||||
|
linux_os/guide/system/auditing/group.yml | 2 +-
|
||||||
|
.../software/disk_partitioning/encrypt_partitions/rule.yml | 2 +-
|
||||||
|
.../guide/system/software/gnome/gnome_login_screen/group.yml | 2 +-
|
||||||
|
11 files changed, 11 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/services/ldap/openldap_client/group.yml b/linux_os/guide/services/ldap/openldap_client/group.yml
|
||||||
|
index bf17a053cd5..a64f105395f 100644
|
||||||
|
--- a/linux_os/guide/services/ldap/openldap_client/group.yml
|
||||||
|
+++ b/linux_os/guide/services/ldap/openldap_client/group.yml
|
||||||
|
@@ -13,7 +13,7 @@ description: |-
|
||||||
|
files, which is useful when trying to use SSL cleanly across several protocols.
|
||||||
|
Installation and configuration of OpenLDAP on {{{ full_name }}} is available at
|
||||||
|
{{% if product == "rhel7" %}}
|
||||||
|
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}.
|
||||||
|
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}.
|
||||||
|
{{% elif product == "ol7" %}}
|
||||||
|
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s9-auth") }}}.
|
||||||
|
{{% endif %}}
|
||||||
|
diff --git a/linux_os/guide/services/ldap/openldap_server/group.yml b/linux_os/guide/services/ldap/openldap_server/group.yml
|
||||||
|
index c180820e9fc..d571867a7f8 100644
|
||||||
|
--- a/linux_os/guide/services/ldap/openldap_server/group.yml
|
||||||
|
+++ b/linux_os/guide/services/ldap/openldap_server/group.yml
|
||||||
|
@@ -7,5 +7,5 @@ description: |-
|
||||||
|
for an OpenLDAP server.
|
||||||
|
{{% if product == "rhel7" %}}
|
||||||
|
Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at:
|
||||||
|
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}.
|
||||||
|
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}.
|
||||||
|
{{% endif %}}
|
||||||
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
|
||||||
|
index 8f939356ab1..7dc188589ee 100644
|
||||||
|
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
|
||||||
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
|
||||||
|
@@ -14,7 +14,7 @@ description: |-
|
||||||
|
{{% elif product == "ol8" %}}
|
||||||
|
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
|
||||||
|
{{% else %}}
|
||||||
|
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
|
||||||
|
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
|
||||||
|
{{% endif %}}
|
||||||
|
for more detailed comparison of the features of both of the choices, and for
|
||||||
|
further guidance how to choose between the two NTP daemons.
|
||||||
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
|
||||||
|
index 503aecc0de2..27df8595efa 100644
|
||||||
|
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
|
||||||
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
|
||||||
|
@@ -14,7 +14,7 @@ description: |-
|
||||||
|
{{% elif product == "ol8" %}}
|
||||||
|
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
|
||||||
|
{{% else %}}
|
||||||
|
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
|
||||||
|
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
|
||||||
|
{{% endif %}}
|
||||||
|
for more detailed comparison of the features of both of the choices, and for
|
||||||
|
further guidance how to choose between the two NTP daemons.
|
||||||
|
diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml
|
||||||
|
index 181b10dfd65..b944ee03116 100644
|
||||||
|
--- a/linux_os/guide/services/ntp/group.yml
|
||||||
|
+++ b/linux_os/guide/services/ntp/group.yml
|
||||||
|
@@ -54,7 +54,7 @@ description: |-
|
||||||
|
{{% elif product == "ol8" %}}
|
||||||
|
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
|
||||||
|
{{% elif product == "rhel7" %}}
|
||||||
|
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
|
||||||
|
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
|
||||||
|
{{% elif "ubuntu" in product %}}
|
||||||
|
{{{ weblink(link="https://help.ubuntu.com/lts/serverguide/NTP.html") }}}
|
||||||
|
{{% elif "debian" in product %}}
|
||||||
|
diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
|
||||||
|
index 065cf301b95..00739816f5e 100644
|
||||||
|
--- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
|
||||||
|
+++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
|
||||||
|
@@ -17,7 +17,7 @@ description: |-
|
||||||
|
{{% elif product == "ol8" %}}
|
||||||
|
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
|
||||||
|
{{% else %}}
|
||||||
|
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
|
||||||
|
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
|
||||||
|
{{% endif %}}
|
||||||
|
for guidance which NTP daemon to choose depending on the environment used.
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/services/sssd/group.yml b/linux_os/guide/services/sssd/group.yml
|
||||||
|
index 5b0caf7d64b..3f4eced7ca7 100644
|
||||||
|
--- a/linux_os/guide/services/sssd/group.yml
|
||||||
|
+++ b/linux_os/guide/services/sssd/group.yml
|
||||||
|
@@ -11,7 +11,7 @@ description: |-
|
||||||
|
<br /><br />
|
||||||
|
For more information, see
|
||||||
|
{{%- if product == "rhel7" -%}}
|
||||||
|
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/SSSD.html") }}}
|
||||||
|
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/sssd") }}}
|
||||||
|
{{%- elif product == "rhel8" -%}}
|
||||||
|
{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-client-basic-scenario_installing-identity-management#sssd-deployment-operations_install-client-basic") }}}
|
||||||
|
{{%- elif product == "ol7" -%}}
|
||||||
|
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml
|
||||||
|
index fc7f149bf40..62a343cf396 100644
|
||||||
|
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml
|
||||||
|
@@ -8,9 +8,7 @@ description: |-
|
||||||
|
To enable smart card authentication, consult the documentation at:
|
||||||
|
<ul>
|
||||||
|
{{% if product == "rhel7" %}}
|
||||||
|
- <li><b>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}</b></li>
|
||||||
|
- {{% elif product == "rhel8" %}}
|
||||||
|
- <li><b>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}</b></li>
|
||||||
|
+ <li><b>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/smartcards.html#authconfig-smartcards") }}}</b></li>
|
||||||
|
{{% elif product == "ol7" %}}
|
||||||
|
<li><b>{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s4-auth") }}}</b></li>
|
||||||
|
{{% endif %}}
|
||||||
|
diff --git a/linux_os/guide/system/auditing/group.yml b/linux_os/guide/system/auditing/group.yml
|
||||||
|
index 82f87e81c47..5fce88db032 100644
|
||||||
|
--- a/linux_os/guide/system/auditing/group.yml
|
||||||
|
+++ b/linux_os/guide/system/auditing/group.yml
|
||||||
|
@@ -38,7 +38,7 @@ description: |-
|
||||||
|
Examining some example audit records demonstrates how the Linux audit system
|
||||||
|
satisfies common requirements.
|
||||||
|
The following example from Fedora Documentation available at
|
||||||
|
- <tt>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}}</tt>
|
||||||
|
+ <tt>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}}</tt>
|
||||||
|
shows the substantial amount of information captured in a
|
||||||
|
two typical "raw" audit messages, followed by a breakdown of the most important
|
||||||
|
fields. In this example the message is SELinux-related and reports an AVC
|
||||||
|
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||||
|
index add0a41fa94..cd07fb4c0ca 100644
|
||||||
|
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||||
|
@@ -38,7 +38,7 @@ description: |-
|
||||||
|
{{% elif product in ["sle12", "sle15"] %}}
|
||||||
|
{{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
|
||||||
|
{{% elif product == "rhel7" %}}
|
||||||
|
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
|
||||||
|
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption") }}}.
|
||||||
|
{{% else %}}
|
||||||
|
{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}.
|
||||||
|
{{% endif %}}
|
||||||
|
diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml
|
||||||
|
index 8e8b32f1d79..299b96c0592 100644
|
||||||
|
--- a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml
|
||||||
|
+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml
|
||||||
|
@@ -14,5 +14,5 @@ description: |-
|
||||||
|
the man page <tt>dconf(1)</tt>.
|
||||||
|
{{% else %}}
|
||||||
|
For more information about enforcing preferences in the GNOME3 environment using the DConf
|
||||||
|
- configuration system, see <b>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/index.html") }}}/></b> and the man page <tt>dconf(1)</tt>.
|
||||||
|
+ configuration system, see <b>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide") }}}/></b> and the man page <tt>dconf(1)</tt>.
|
||||||
|
{{% endif %}}
|
1834
scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch
Normal file
1834
scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,39 @@
|
|||||||
|
From bd790153e02c1d1725f59f5d88c65c77eb1421e9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Tue, 24 Aug 2021 12:48:46 +0200
|
||||||
|
Subject: [PATCH] Add a new selector for var_system_crypto_policy and use it
|
||||||
|
RHEL8 CIS.
|
||||||
|
|
||||||
|
This new selector is used to select explicit DEFAULT value in RHEL8 CIS
|
||||||
|
L1 profiles. The "default" selector cannot be selected and it causes
|
||||||
|
errors if used.
|
||||||
|
---
|
||||||
|
controls/cis_rhel8.yml | 2 +-
|
||||||
|
.../software/integrity/crypto/var_system_crypto_policy.var | 1 +
|
||||||
|
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
||||||
|
index 29d972427cf..c0d3f5f40de 100644
|
||||||
|
--- a/controls/cis_rhel8.yml
|
||||||
|
+++ b/controls/cis_rhel8.yml
|
||||||
|
@@ -553,7 +553,7 @@ controls:
|
||||||
|
automated: yes
|
||||||
|
rules:
|
||||||
|
- configure_crypto_policy
|
||||||
|
- - var_system_crypto_policy=default
|
||||||
|
+ - var_system_crypto_policy=default_policy
|
||||||
|
|
||||||
|
# This rule works in conjunction with the configure_crypto_policy above.
|
||||||
|
# If a system is remediated to CIS Level 1, just the rule above will apply
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
|
||||||
|
index ce301154a39..8b89848d122 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
|
||||||
|
@@ -13,6 +13,7 @@ interactive: false
|
||||||
|
|
||||||
|
options:
|
||||||
|
default: DEFAULT
|
||||||
|
+ default_policy: DEFAULT
|
||||||
|
default_nosha1: "DEFAULT:NO-SHA1"
|
||||||
|
fips: FIPS
|
||||||
|
fips_ospp: "FIPS:OSPP"
|
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
Name: scap-security-guide
|
Name: scap-security-guide
|
||||||
Version: 0.1.57
|
Version: 0.1.57
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Summary: Security guidance and baselines in SCAP formats
|
Summary: Security guidance and baselines in SCAP formats
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
URL: https://github.com/ComplianceAsCode/content/
|
URL: https://github.com/ComplianceAsCode/content/
|
||||||
@ -20,6 +20,11 @@ Patch4: scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch
|
|||||||
Patch5: scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch
|
Patch5: scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch
|
||||||
Patch6: scap-security-guide-0.1.58-s390x_arch-PR_7385.patch
|
Patch6: scap-security-guide-0.1.58-s390x_arch-PR_7385.patch
|
||||||
Patch7: scap-security-guide-0.1.58-ism_ks-PR_7392.patch
|
Patch7: scap-security-guide-0.1.58-ism_ks-PR_7392.patch
|
||||||
|
Patch8: scap-security-guide-0.1.58-cis_def-PR_6976.patch
|
||||||
|
Patch9: scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch
|
||||||
|
Patch10: scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch
|
||||||
|
Patch11: scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch
|
||||||
|
Patch12: scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch
|
||||||
|
|
||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
BuildRequires: expat
|
BuildRequires: expat
|
||||||
@ -106,6 +111,11 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 24 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-4
|
||||||
|
- Fix a broken HTTP link
|
||||||
|
Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
|
||||||
|
Resolves: rhbz#1962564
|
||||||
|
|
||||||
* Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
|
* Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
|
||||||
- Use SSHD directory-based configuration.
|
- Use SSHD directory-based configuration.
|
||||||
Resolves: rhbz#1962564
|
Resolves: rhbz#1962564
|
||||||
|
Loading…
Reference in New Issue
Block a user