import scap-security-guide-0.1.57-9.el8_5

This commit is contained in:
CentOS Sources 2022-04-26 09:52:49 -04:00 committed by Stepan Oksanichenko
parent da76cca84d
commit c24c37eb20
44 changed files with 16155 additions and 1 deletions

View File

@ -0,0 +1,41 @@
From 628cbacb76e9950528359038cf3237ac7166f0b7 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 14 Mar 2022 12:57:26 +0100
Subject: [PATCH] Reorder reference in alphabetical order.
---
.../integrity/crypto/configure_bind_crypto_policy/rule.yml | 2 +-
.../software/integrity/crypto/configure_crypto_policy/rule.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
index e58c950..8d73d9d 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
@@ -29,8 +29,8 @@ identifiers:
references:
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1
nist: SC-13,SC-12(2),SC-12(3)
- stigid@rhel8: RHEL-08-010020
srg: SRG-OS-000423-GPOS-00187,SRG-OS-000426-GPOS-00190
+ stigid@rhel8: RHEL-08-010020
ocil_clause: |-
BIND is installed and the BIND config file doesn't contain the
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
index 5eea87a..a5a8df3 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -65,8 +65,8 @@ references:
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
- stigid@rhel8: RHEL-08-010020
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+ stigid@rhel8: RHEL-08-010020
ocil_clause: 'cryptographic policy is not configured or is configured incorrectly'
--
2.34.1

View File

@ -0,0 +1,199 @@
From 2cbc694687190cadb155c5582f93a8cf91ebdc4c Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 26 Aug 2021 15:04:46 +0200
Subject: [PATCH] Bug 1942281 - Set postfix rules to notapplicable when package
is not installed
---
.../rule.yml | 2 ++
.../rule.yml | 2 ++
.../services/mail/postfix_harden_os/group.yml | 2 ++
.../rule.yml | 3 ++-
products/rhel8/profiles/stig.profile | 4 +---
products/rhel9/profiles/stig.profile | 4 +---
shared/applicability/general.yml | 5 +++++
.../installed_env_has_postfix_package.xml | 20 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 1 -
.../data/profile_stability/rhel8/stig.profile | 3 ++-
.../profile_stability/rhel8/stig_gui.profile | 3 ++-
11 files changed, 39 insertions(+), 10 deletions(-)
create mode 100644 shared/checks/oval/installed_env_has_postfix_package.xml
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
index 0faafeb0c2f..4b440e79845 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
@@ -21,3 +21,5 @@ ocil: |-
Run the following command to ensure postfix routes mail to this system:
<pre>$ grep relayhost /etc/postfix/main.cf</pre>
If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_relayhost") }}}</tt>.
+
+platform: postfix
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
index 096020ef687..579db484976 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
@@ -42,3 +42,5 @@ ocil: |-
Run the following command to ensure postfix accepts mail messages from only the local system:
<pre>$ grep inet_interfaces /etc/postfix/main.cf</pre>
If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_inet_interfaces") }}}</tt>.
+
+platform: postfix
diff --git a/linux_os/guide/services/mail/postfix_harden_os/group.yml b/linux_os/guide/services/mail/postfix_harden_os/group.yml
index 19b662508bd..8a415425e7d 100644
--- a/linux_os/guide/services/mail/postfix_harden_os/group.yml
+++ b/linux_os/guide/services/mail/postfix_harden_os/group.yml
@@ -6,3 +6,5 @@ description: |-
The guidance in this section is appropriate for any host which is
operating as a site MTA, whether the mail server runs using Sendmail, Postfix,
or some other software.
+
+platform: postfix
diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
index 9b4c7656a85..75e4133b119 100644
--- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
+++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,wrlinux1019
title: 'Prevent Unrestricted Mail Relaying'
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80512-7
cce@rhel8: CCE-84054-6
+ cce@rhel9: CCE-87232-5
references:
disa: CCI-000366
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index d31b251645b..5e9a2216fcd 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1160,9 +1160,7 @@ selections:
- sysctl_net_core_bpf_jit_harden
# RHEL-08-040290
- # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
- # there needs to be a new platform check to identify when postfix is installed or not
- # - postfix_prevent_unrestricted_relay
+ - postfix_prevent_unrestricted_relay
# RHEL-08-040300
- aide_verify_ext_attributes
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
index a40d848ee67..8d60468528d 100644
--- a/products/rhel9/profiles/stig.profile
+++ b/products/rhel9/profiles/stig.profile
@@ -1030,9 +1030,7 @@ selections:
- sysctl_net_ipv4_conf_all_rp_filter
# RHEL-08-040290
- # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
- # there needs to be a new platform check to identify when postfix is installed or not
- # - postfix_prevent_unrestricted_relay
+ - postfix_prevent_unrestricted_relay
# RHEL-08-040300
- aide_verify_ext_attributes
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index 6e3ecfd9bf9..4163a07cbad 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -44,6 +44,11 @@ cpes:
title: "Package pam is installed"
check_id: installed_env_has_pam_package
+ - postfix:
+ name: "cpe:/a:postfix"
+ title: "Package postfix is installed"
+ check_id: installed_env_has_postfix_package
+
- sssd:
name: "cpe:/a:sssd"
title: "Package sssd-common is installed"
diff --git a/shared/checks/oval/installed_env_has_postfix_package.xml b/shared/checks/oval/installed_env_has_postfix_package.xml
new file mode 100644
index 00000000000..95ad355147b
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_postfix_package.xml
@@ -0,0 +1,20 @@
+<def-group>
+
+ <definition class="inventory"
+ id="installed_env_has_postfix_package" version="1">
+ <metadata>
+ <title>Package postfix is installed</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Checks if package postfix is installed.</description>
+ <reference ref_id="cpe:/a:postfix" source="CPE" />
+ </metadata>
+ <criteria>
+ <criterion comment="Package postfix is installed" test_ref="test_env_has_postfix_installed" />
+ </criteria>
+ </definition>
+
+ {{{ oval_test_package_installed(package='postfix', evr='', test_id='test_env_has_postfix_installed') }}}
+
+</def-group>
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ee4c156b79c..29fe687600c 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1314,7 +1314,6 @@ CCE-87228-3
CCE-87229-1
CCE-87230-9
CCE-87231-7
-CCE-87232-5
CCE-87233-3
CCE-87234-1
CCE-87235-8
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index ba596f86f83..ca0097b844b 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -64,8 +64,8 @@ selections:
- accounts_user_home_paths_only
- accounts_user_interactive_home_directory_defined
- accounts_user_interactive_home_directory_exists
-- aide_check_audit_tools
- agent_mfetpd_running
+- aide_check_audit_tools
- aide_scan_notification
- aide_verify_acls
- aide_verify_ext_attributes
@@ -304,6 +304,7 @@ selections:
- partition_for_var_log_audit
- partition_for_var_tmp
- postfix_client_configure_mail_alias
+- postfix_prevent_unrestricted_relay
- require_emergency_target_auth
- require_singleuser_auth
- root_permissions_syslibrary_files
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 9db93027011..3533208c4a5 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -75,8 +75,8 @@ selections:
- accounts_user_home_paths_only
- accounts_user_interactive_home_directory_defined
- accounts_user_interactive_home_directory_exists
-- aide_check_audit_tools
- agent_mfetpd_running
+- aide_check_audit_tools
- aide_scan_notification
- aide_verify_acls
- aide_verify_ext_attributes
@@ -315,6 +315,7 @@ selections:
- partition_for_var_log_audit
- partition_for_var_tmp
- postfix_client_configure_mail_alias
+- postfix_prevent_unrestricted_relay
- require_emergency_target_auth
- require_singleuser_auth
- root_permissions_syslibrary_files

View File

@ -0,0 +1,375 @@
From f027c56e45e703663c25dea18f78111d5d8a7e0f Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 19 Aug 2021 11:16:08 -0500
Subject: [PATCH] Added rule for RHEL-08-010400
---
.../ansible/shared.yml | 27 +++++++++++++
.../bash/shared.sh | 33 +++++++++++++++
.../oval/shared.xml | 30 ++++++++++++++
.../sssd_certificate_verification/rule.yml | 40 +++++++++++++++++++
.../tests/correct_value.pass.sh | 6 +++
.../tests/correct_with_others_before.pass.sh | 6 +++
.../tests/not_configured.fail.sh | 5 +++
.../tests/partial_config.fail.sh | 6 +++
.../tests/wrong_section.fail.sh | 6 +++
.../tests/wrong_value.fail.sh | 6 +++
...rtificate_verification_digest_function.var | 20 ++++++++++
products/rhel8/profiles/stig.profile | 2 +
shared/references/cce-redhat-avail.txt | 1 -
.../data/profile_stability/rhel8/stig.profile | 4 +-
.../profile_stability/rhel8/stig_gui.profile | 4 +-
15 files changed, 193 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
create mode 100644 linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
new file mode 100644
index 00000000000..8e36f0974fd
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
@@ -0,0 +1,27 @@
+# platform = multi_platform_fedora,multi_platform_rhel
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
+ ini_file:
+ path: /etc/sssd/sssd.conf
+ section: sssd
+ option: certificate_verification
+ state: absent
+
+- name: 'Ensure that "certificate_verification" is not set in /etc/sssd/conf.d/*.conf'
+ ini_file:
+ path: /etc/sssd/conf.d/*.conf
+ section: sssd
+ option: certificate_verification
+ state: absent
+
+- name: Ensure that "certificate_verification" is set
+ ini_file:
+ path: /etc/sssd/conf.d/certificate_verification.conf
+ section: sssd
+ option: certificate_verification
+ value: "ocsp_dgst = sha1"
+ state: present
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
new file mode 100644
index 00000000000..8f9e5514480
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
@@ -0,0 +1,33 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+# include our remediation functions library
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_instantiate_variables("var_sssd_certificate_verification_digest_function") }}}
+
+found=false
+for f in /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf; do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
+ cert=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1} f{nu=gensub("^\\s*certificate_verification\\s*=\\s*ocsp_dgst\\s*=\\s*(\\w+).*","\\1",1); if($0!=nu){cert=nu}} END{print cert}' "$f" )
+ if [ -n "$cert" ] ; then
+ if [ "$cert" != $var_sssd_certificate_verification_digest_function ] ; then
+ sed -i "s/^certificate_verification\s*=.*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f"
+ fi
+ found=true
+ fi
+done
+
+if ! $found ; then
+ SSSD_CONF="/etc/sssd/conf.d/certificate_verification.conf"
+ mkdir -p $( dirname $SSSD_CONF )
+ touch $SSSD_CONF
+ chown root:root $SSSD_CONF
+ chmod 600 $SSSD_CONF
+ echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> $SSSD_CONF
+fi
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
new file mode 100644
index 00000000000..77736f54f03
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
@@ -0,0 +1,30 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("SSSD should be configured with the correct ocsp_dgst
+ digest function") }}}
+ <criteria>
+ <criterion comment="check value of certificate_verification in sssd configuration"
+ test_ref="test_{{{rule_id}}}" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="test the value of
+ certificate_verification in sssd configuration" id="test_{{{rule_id}}}" version="1">
+ <ind:object object_ref="obj_{{{rule_id}}}" />
+ <ind:state state_ref="state_{{{rule_id}}}" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_{{{rule_id}}}" version="1">
+ <ind:filepath operation="pattern match">^/etc/sssd/(sssd|conf\.d/.*)\.conf$</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*\[sssd](?:[^\n\[]*\n+)+?[\s]*certificate_verification\s*=\s*ocsp_dgst\s*=\s*(\w+)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state comment="value of certificate_verification" id="state_{{{rule_id}}}" version="1">
+ <ind:subexpression operation="equals" var_check="all"
+ var_ref="var_sssd_certificate_verification_digest_function" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="certificate_verification value" datatype="string"
+ id="var_sssd_certificate_verification_digest_function" version="1" />
+</def-group>
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
new file mode 100644
index 00000000000..182e75a2aab
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Certificate certificate status checking in SSSD'
+
+description: |-
+ Multifactor solutions that require devices separate from information systems gaining access include,
+ for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.
+ By configuring <tt>certificate_verification</tt> to <tt>ocsp_dgst=sha1</tt> sures that certificates for
+ multifactor solutions are checked via Online Certificate Status Protocol (OCSP).
+
+rationale: |-
+ Enusring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
+ ensures the security of the system.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-86120-3
+
+references:
+ disa: CCI-001948
+ nist: IA-2(11)
+ srg: SRG-OS-000375-GPOS-00160,SRG-OS-000377-GPOS-00162
+ stigid@rhel8: RHEL-08-010400
+
+
+ocil_clause: 'certificate_verification in sssd is not configured'
+
+ocil: |-
+ Check to see if Online Certificate Status Protocol (OCSP)
+ is enabled and using the proper digest value on the system with the following command:
+ <pre>$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#"</pre>
+ If configured properly, output should look like
+ <pre>
+ certificate_verification = ocsp_dgst=sha1
+ </pre>
+ The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
+ <pre>$ sudo systemctl restart sssd.service</pre>
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
new file mode 100644
index 00000000000..24c19f44fdc
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
new file mode 100644
index 00000000000..982450fc81b
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ndifferent_option = test\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
new file mode 100644
index 00000000000..ed011f9d4bc
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
new file mode 100644
index 00000000000..3c7c468b9d5
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
new file mode 100644
index 00000000000..635ca4bebcc
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[ssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..93f363edc04
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha256" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
new file mode 100644
index 00000000000..cdbd0a13576
--- /dev/null
+++ b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'SSSD certificate_verification option'
+
+description: |-
+ Value of the certificate_verification option in
+ the SSSD config.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+ sha1: sha1
+ sha256: sha256
+ sha384: sha384
+ sha512: sha512
+ default: sha1
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 9dc9360e899..5b1f709faaf 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -70,6 +70,7 @@ selections:
- var_auditd_disk_error_action=halt
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=halt
+ - var_sssd_certificate_verification_digest_function=sha1
### Enable / Configure FIPS
- enable_fips_mode
@@ -275,6 +276,7 @@ selections:
- install_smartcard_packages
# RHEL-08-010400
+ - sssd_certificate_verification
# RHEL-08-010410
- package_opensc_installed
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 3b24e19da06..81f94f7dbca 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -236,7 +236,6 @@ CCE-86116-1
CCE-86117-9
CCE-86118-7
CCE-86119-5
-CCE-86120-3
CCE-86121-1
CCE-86122-9
CCE-86123-7
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index e9ba0f0adbf..baef93bba64 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -342,6 +342,7 @@ selections:
- sshd_set_keepalive_0
- sshd_use_strong_rng
- sshd_x11_use_localhost
+- sssd_certificate_verification
- sssd_enable_certmap
- sssd_enable_smartcards
- sssd_offline_cred_expiration
@@ -410,6 +411,7 @@ selections:
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
+- var_accounts_authorized_local_users_regex=rhel8
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
- var_accounts_passwords_pam_faillock_unlock_time=never
@@ -425,7 +427,7 @@ selections:
- var_auditd_disk_error_action=halt
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=halt
-- var_accounts_authorized_local_users_regex=rhel8
+- var_sssd_certificate_verification_digest_function=sha1
- var_system_crypto_policy=fips
- var_sudo_timestamp_timeout=always_prompt
title: DISA STIG for Red Hat Enterprise Linux 8
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index c8540f9392e..237f66c721f 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -353,6 +353,7 @@ selections:
- sshd_set_keepalive_0
- sshd_use_strong_rng
- sshd_x11_use_localhost
+- sssd_certificate_verification
- sssd_enable_certmap
- sssd_enable_smartcards
- sssd_offline_cred_expiration
@@ -420,6 +421,7 @@ selections:
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
+- var_accounts_authorized_local_users_regex=rhel8
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
- var_accounts_passwords_pam_faillock_unlock_time=never
@@ -435,7 +437,7 @@ selections:
- var_auditd_disk_error_action=halt
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=halt
-- var_accounts_authorized_local_users_regex=rhel8
+- var_sssd_certificate_verification_digest_function=sha1
- var_system_crypto_policy=fips
- var_sudo_timestamp_timeout=always_prompt
title: DISA STIG with GUI for Red Hat Enterprise Linux 8

View File

@ -0,0 +1,23 @@
From 91fb54a2e5e52d789f786fefbe711e7250470437 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 16 Sep 2021 19:45:26 +0200
Subject: [PATCH] Force masking of ctrl-alt-del.target
Without forcing the remediation it never converges.
The target is stopped but not masked.
---
.../disable_ctrlaltdel_reboot/ansible/shared.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml
index 8ea1de865ae..30f06a8751c 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml
@@ -7,6 +7,7 @@
- name: Disable Ctrl-Alt-Del Reboot Activation
systemd:
name: ctrl-alt-del.target
+ force: yes
masked: yes
state: stopped

View File

@ -0,0 +1,33 @@
From 69eb6ab86201b5566595b3b6ac12f643dcd9e0ca Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 16 Sep 2021 14:59:27 +0200
Subject: [PATCH] Fix typo in rsyslog streamdriver remediations
The Ansible remediations don't need to escape '$'.
---
.../ansible/shared.yml | 2 +-
.../ansible/shared.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
index bbd27a00611..5d11103fc0f 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
@@ -5,5 +5,5 @@
# disruption = low
{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
- parameter="\$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ")
+ parameter="$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ")
}}}
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
index b215daaef4b..035ab152876 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
@@ -5,5 +5,5 @@
# disruption = low
{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
- parameter="\$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ")
+ parameter="$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ")
}}}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,841 @@
commit 549241cec9404bd211a580454fdd28cb72dfe520
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Thu Feb 24 17:24:17 2022 +0100
Manual edited patch scap-security-guide-0.1.59-BZ1884687-PR_7770.patch.
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/ansible/shared.yml
new file mode 100644
index 0000000..09d1984
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/ansible/shared.yml
@@ -0,0 +1,31 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Get all local users from /etc/passwd
+ ansible.builtin.getent:
+ database: passwd
+ split: ':'
+
+- name: Create local_users variable from the getent output
+ ansible.builtin.set_fact:
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+
+- name: Test for existence of home directories to avoid creating them, but only fixing group ownership
+ ansible.builtin.stat:
+ path: '{{ item.value[4] }}'
+ register: path_exists
+ loop: '{{ local_users }}'
+ when:
+ - item.value[2]|int >= {{{ gid_min }}}
+ - item.value[2]|int != 65534
+
+- name: Ensure interactive local users are the group-owners of their respective home directories
+ ansible.builtin.file:
+ path: '{{ item.0.value[4] }}'
+ group: '{{ item.0.value[2] }}'
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
+ when:
+ - item.1.stat is defined and item.1.stat.exists
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/bash/shared.sh
new file mode 100644
index 0000000..08f7307
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+awk -F':' '{ if ($4 >= {{{ gid_min }}} && $4 != 65534) system("chgrp -f " $4" "$6) }' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
new file mode 100644
index 0000000..a1d1f2e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
@@ -0,0 +1,89 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("All interactive user's Home Directories must be group-owned by its user") }}}
+ <criteria operator="AND">
+ <criterion test_ref="test_file_groupownership_home_directories"
+ comment="All interactive user's Home Directories must be group-owned by its user"/>
+ <criterion test_ref="test_file_groupownership_home_directories_duplicated"
+ comment="Interactive users should group-own only one Home Directory"/>
+ </criteria>
+ </definition>
+
+ <!-- For detailed comments about logic used in this OVAL, check the
+ "file_ownership_home_directories" rule. -->
+ <unix:password_object id="object_file_groupownership_home_directories_objects" version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_file_groupownership_home_directories_interactive_gids</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_file_groupownership_home_directories_interactive_gids" version="1">
+ <unix:group_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:group_id>
+ </unix:password_state>
+
+ <!-- #### prepare for test_file_groupownership_home_directories #### -->
+ <local_variable id="var_file_groupownership_home_directories_dirs" datatype="string" version="1"
+ comment="Variable including all home dirs from primary interactive groups">
+ <object_component item_field="home_dir" object_ref="object_file_groupownership_home_directories_objects"/>
+ </local_variable>
+
+ <local_variable id="var_file_groupownership_home_directories_gids" datatype="int" version="1"
+ comment="Variable including all gids from primary interactive group">
+ <object_component item_field="group_id" object_ref="object_file_groupownership_home_directories_objects"/>
+ </local_variable>
+
+ <!-- #### creation of object #### -->
+ <unix:file_object id="object_file_groupownership_home_directories_dirs" version="1">
+ <unix:path var_ref="var_file_groupownership_home_directories_dirs" var_check="at least one"/>
+ <unix:filename xsi:nil="true"/>
+ </unix:file_object>
+
+ <!-- #### creation of state #### -->
+ <unix:file_state id="state_file_groupownership_home_directories_gids" version="1">
+ <unix:group_id datatype="int" var_check="only one" var_ref="var_file_groupownership_home_directories_gids"/>
+ </unix:file_state>
+
+ <!-- #### creation of test #### -->
+ <!-- #### creatin of test_file_groupownership_home_directories #### -->
+ <unix:file_test id="test_file_groupownership_home_directories" check="all" check_existence="any_exist"
+ version="1" comment="All home directories are group-owned by a local interactive group">
+ <unix:object object_ref="object_file_groupownership_home_directories_dirs"/>
+ <unix:state state_ref="state_file_groupownership_home_directories_gids"/>
+ </unix:file_test>
+
+ <!-- #### prepare for test_file_groupownership_home_directories_duplicated #### -->
+ <local_variable id="var_file_groupownership_home_directories_gids_count" datatype="int" version="1"
+ comment="Variable including count of gids from interactive group-owners">
+ <count>
+ <object_component item_field="group_id" object_ref="object_file_groupownership_home_directories_dirs"/>
+ </count>
+ </local_variable>
+
+ <local_variable id="var_file_groupownership_home_directories_gids_count_uniq" datatype="int" version="1"
+ comment="Variable including count of uniq gids from interactive group-owners">
+ <count>
+ <unique>
+ <object_component item_field="group_id" object_ref="object_file_groupownership_home_directories_dirs"/>
+ </unique>
+ </count>
+ </local_variable>
+
+ <!-- #### creation of object #### -->
+ <ind:variable_object id="object_file_groupownership_home_directories_gids_count" version="1">
+ <ind:var_ref>var_file_groupownership_home_directories_gids_count</ind:var_ref>
+ </ind:variable_object>
+
+ <!-- #### creation of state #### -->
+ <!-- #### creation of state_no_duplicate_groupowners #### -->
+ <ind:variable_state id="state_file_groupownership_home_directories_gids_count_uniq" version="1">
+ <ind:value datatype="int" operation="equals" var_check="at least one"
+ var_ref="var_file_groupownership_home_directories_gids_count_uniq"/>
+ </ind:variable_state>
+
+ <!-- #### creation of test #### -->
+ <ind:variable_test id="test_file_groupownership_home_directories_duplicated" check="all"
+ check_existence="any_exist" version="1"
+ comment="It should not exist duplicated group-owners of home dirs">
+ <ind:object object_ref="object_file_groupownership_home_directories_gids_count"/>
+ <ind:state state_ref="state_file_groupownership_home_directories_gids_count_uniq"/>
+ </ind:variable_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
index 2e6ce60..e33660f 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
@@ -10,6 +10,10 @@ description: |-
interactive users home directory, use the following command:
<pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i></pre>
+ This rule ensures every home directory related to an interactive user is
+ group-owned by an interactive user. It also ensures that interactive users
+ are group-owners of one and only one home directory.
+
rationale: |-
If the Group Identifier (GID) of a local interactive users home directory is
not the same as the primary GID of the user, this would allow unauthorized
@@ -42,3 +46,9 @@ ocil: |-
To verify the assigned home directory of all interactive users is group-
owned by that users primary GID, run the following command:
<pre># ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
+
+warnings:
+ - general: |-
+ Due to OVAL limitation, this rule can report a false negative in a
+ specific situation where two interactive users swap the group-ownership
+ of their respective home directories.
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/expected_groupowner.pass.sh
new file mode 100644
index 0000000..1605339
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/expected_groupowner.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+chgrp $USER /home/$USER
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_all_absent.pass.sh
new file mode 100644
index 0000000..af24025
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_all_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_one_absent.pass.sh
new file mode 100644
index 0000000..5bce517
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_one_absent.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -M $USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_with_same_groupowner.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_with_same_groupowner.fail.sh
new file mode 100644
index 0000000..9d0f765
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_with_same_groupowner.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+# Define the same owner for two home directories
+chgrp $USER1 /home/$USER1
+chgrp $USER1 /home/$USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/interactive_users_absent.pass.sh
new file mode 100644
index 0000000..ed34f09
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh
new file mode 100644
index 0000000..c1a87c1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+chgrp 2 /home/$USER
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh
new file mode 100644
index 0000000..d352011
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+chgrp 10005 /home/$USER
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_crossed_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_crossed_groupowner.pass.sh
new file mode 100644
index 0000000..0cffa4a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_crossed_groupowner.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+# Define the same owner for two home directories
+chgrp $USER2 /home/$USER1
+chgrp $USER1 /home/$USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_swapped_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_swapped_groupowner.pass.sh
new file mode 100644
index 0000000..3e5b778
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_swapped_groupowner.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+# Swap the group-ownership of two home directories
+# WARNING: This test scenario will report a false negative, as explained in the
+# warning section of this rule.
+chgrp $USER2 /home/$USER1
+chgrp $USER1 /home/$USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/ansible/shared.yml
new file mode 100644
index 0000000..97d4274
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/ansible/shared.yml
@@ -0,0 +1,31 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Get all local users from /etc/passwd
+ ansible.builtin.getent:
+ database: passwd
+ split: ':'
+
+- name: Create local_users variable from the getent output
+ ansible.builtin.set_fact:
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+
+- name: Test for existence home directories to avoid creating them, but only fixing ownership
+ ansible.builtin.stat:
+ path: '{{ item.value[4] }}'
+ register: path_exists
+ loop: '{{ local_users }}'
+ when:
+ - item.value[1]|int >= {{{ uid_min }}}
+ - item.value[1]|int != 65534
+
+- name: Ensure interactive local users are the owners of their respective home directories
+ ansible.builtin.file:
+ path: '{{ item.0.value[4] }}'
+ owner: '{{ item.0.value[1] }}'
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
+ when:
+ - item.1.stat is defined and item.1.stat.exists
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/bash/shared.sh
new file mode 100644
index 0000000..1d1e675
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chown -f " $3" "$6) }' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
new file mode 100644
index 0000000..3d0b9ae
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
@@ -0,0 +1,142 @@
+<def-group>
+ <!-- Updated references of the OVAL language used in this file can be found in this link:
+ https://oval-community-guidelines.readthedocs.io/en/latest/oval-schema-documentation/oval-definitions-schema.html
+ -->
+
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("All interactive user's Home Directories must be owned by its user") }}}
+ <criteria operator="AND">
+ <criterion test_ref="test_file_ownership_home_directories"
+ comment="All interactive user's Home Directories must be owned by its user"/>
+ <criterion test_ref="test_file_ownership_home_directories_duplicated"
+ comment="Interactive users should own only one Home Directory"/>
+ </criteria>
+ </definition>
+
+ <!--
+ Extract a list composed of password objects filtered by UIDs starting in {{{ uid_min }}} and
+ not equal to "nobody". Most of (if not all) distros have the special user "nobody" with uid
+ 65354. Despite it be technically classified as an interactive user, it is a special case with
+ very limited access. So, we ignore it. The resulted password object will be further used to
+ create local variables composed by UIDs e Home Dirs.
+ -->
+ <unix:password_object id="object_file_ownership_home_directories_objects" version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_file_ownership_home_directories_interactive_uids</filter>
+ </unix:password_object>
+
+ <!--
+ In distros which uses PAM (almost all), by default, the uid of interactive users and groups
+ starts at 1000. We use this information to make sure this password_state object will be
+ composed only with objects related to interactive users.
+ -->
+ <unix:password_state id="state_file_ownership_home_directories_interactive_uids" version="1">
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+ </unix:password_state>
+
+ <!--
+ #### prepare for test_file_groupownership_home_directories ####
+ From the list of interactive users objects we create a local variable composed of their home dirs.
+ -->
+ <local_variable id="var_file_ownership_home_directories_dirs" datatype="string" version="1"
+ comment="Variable including all home dirs from interactive users">
+ <object_component item_field="home_dir" object_ref="object_file_ownership_home_directories_objects"/>
+ </local_variable>
+
+ <!--
+ From the list of interactive users objects we create a local variable composed of their uids.
+ -->
+ <local_variable id="var_file_ownership_home_directories_uids" datatype="int" version="1"
+ comment="List of interactive users uids">
+ <object_component item_field="user_id" object_ref="object_file_ownership_home_directories_objects"/>
+ </local_variable>
+
+ <!--
+ #### creation of object ####
+ We have the home dirs, but to test their ownership we need a "file_object" and not a password
+ object, as the initial source of this information is. So, we create this file_object based on
+ content from the previous local variable.
+ -->
+ <unix:file_object id="object_file_ownership_home_directories_dirs" version="1">
+ <unix:path var_ref="var_file_ownership_home_directories_dirs" var_check="at least one"/>
+ <unix:filename xsi:nil="true"/>
+ </unix:file_object>
+
+ <!--
+ #### creation of state ####
+ We have the relevant uids, but we need a "file_state" object to use in our intendend test.
+ So, we create this file_state based on content from the previous local variable.
+ -->
+ <unix:file_state id="state_file_ownership_home_directories_uids" version="1">
+ <unix:user_id datatype="int" var_check="only one" var_ref="var_file_ownership_home_directories_uids"/>
+ </unix:file_state>
+
+ <!--
+ #### creation of test ####
+ Perform the test to ensure that all home dirs are owned by an interactive user.
+ This test will make sure that no foreign or system user is owner of an existing home dir.
+ However, this can't ensure that one local interactive user is the owner of only one home dir.
+ Currently this is an OVAL limitation which we try to mitigate with a second test below.
+ -->
+ <unix:file_test id="test_file_ownership_home_directories" check="all" check_existence="any_exist"
+ version="1" comment="All home directories are owned by a local interactive user">
+ <unix:object object_ref="object_file_ownership_home_directories_dirs"/>
+ <unix:state state_ref="state_file_ownership_home_directories_uids"/>
+ </unix:file_test>
+
+ <!--
+ We create an extra test to make sure that the number of home dirs and their respective owners
+ are the same. This is to catch situations where one local user owns more than one home dir.
+ However, we still can have a situation where two local users cross the ownership of their
+ respective home dirs. Although very atypical, we should be aware of this possible false
+ positive and that it is not possible to be solved with the current OVAL capabilities.
+ -->
+ <!--
+ This create an int variable composed by the count of file_object items.
+ -->
+ <local_variable id="var_file_ownership_home_directories_uids_count" datatype="int" version="1"
+ comment="Count home dirs related to interactive users">
+ <count>
+ <object_component item_field="user_id" object_ref="object_file_ownership_home_directories_dirs"/>
+ </count>
+ </local_variable>
+
+ <!--
+ This create an int variable composed by the count of unique user_ids collected from
+ file_object items.
+ -->
+ <local_variable id="var_file_ownership_home_directories_uids_count_uniq" datatype="int" version="1"
+ comment="Count current owners of relevant home dirs">
+ <count>
+ <unique>
+ <object_component item_field="user_id" object_ref="object_file_ownership_home_directories_dirs"/>
+ </unique>
+ </count>
+ </local_variable>
+
+ <!--
+ #### creation of object ####
+ Turn the OVAL variable representing count of home dirs into OVAL object.
+ This way we can test it further.
+ -->
+ <ind:variable_object id="object_file_ownership_home_directories_uids_count" version="1">
+ <ind:var_ref>var_file_ownership_home_directories_uids_count</ind:var_ref>
+ </ind:variable_object>
+
+ <!--
+ #### creation of state ####
+ this state checks that both counts (unique and non-unique) are the same
+ -->
+ <ind:variable_state id="state_file_ownership_home_directories_uids_count_uniq" version="1">
+ <ind:value datatype="int" operation="equals" var_check="at least one"
+ var_ref="var_file_ownership_home_directories_uids_count_uniq"/>
+ </ind:variable_state>
+
+ <!-- #### creation of test #### -->
+ <ind:variable_test id="test_file_ownership_home_directories_duplicated" check="all"
+ check_existence="any_exist" version="1"
+ comment="It should not exist duplicated owners of home dirs">
+ <ind:object object_ref="object_file_ownership_home_directories_uids_count"/>
+ <ind:state state_ref="state_file_ownership_home_directories_uids_count_uniq"/>
+ </ind:variable_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
index 198a9be..042f484 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
@@ -10,6 +10,10 @@ description: |-
the following command:
<pre>$ sudo chown <i>USER</i> /home/<i>USER</i></pre>
+ This rule ensures every home directory related to an interactive user is
+ owned by an interactive user. It also ensures that interactive users are
+ owners of one and only one home directory.
+
rationale: |-
If a local interactive user does not own their home directory, unauthorized
users could access or modify the user's files, and the users may not be able to
@@ -31,3 +35,9 @@ ocil_clause: 'the user ownership is incorrect'
ocil: |-
To verify the home directory ownership, run the following command:
<pre># ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
+
+warnings:
+ - general: |-
+ Due to OVAL limitation, this rule can report a false negative in a
+ specific situation where two interactive users swap the ownership of
+ their respective home directories.
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/expected_owner.pass.sh
new file mode 100644
index 0000000..585f759
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/expected_owner.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+chown $USER /home/$USER
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dir_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dir_absent.pass.sh
new file mode 100644
index 0000000..7c181af
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dir_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_all_absent.pass.sh
new file mode 100644
index 0000000..af24025
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_all_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_one_absent.pass.sh
new file mode 100644
index 0000000..5bce517
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_one_absent.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -M $USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_with_same_owner.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_with_same_owner.fail.sh
new file mode 100644
index 0000000..e6aef9e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_with_same_owner.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+# Define the same owner for two home directories
+chown $USER1 /home/$USER1
+chown $USER1 /home/$USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/interactive_users_absent.pass.sh
new file mode 100644
index 0000000..ed34f09
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_system_id.fail.sh
new file mode 100644
index 0000000..011b315
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_system_id.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+chown 2 /home/$USER
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_unknown_id.fail.sh
new file mode 100644
index 0000000..733af78
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_unknown_id.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+chown 10005 /home/$USER
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_crossed_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_crossed_owner.pass.sh
new file mode 100644
index 0000000..df5655f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_crossed_owner.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+# Define the same owner for two home directories
+chown $USER2 /home/$USER1
+chown $USER1 /home/$USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_swapped_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_swapped_owner.pass.sh
new file mode 100644
index 0000000..e9cfd5b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_swapped_owner.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+# Swap the ownership of two home directories
+# WARNING: This test scenario will report a false negative, as explained in the
+# warning section of this rule.
+chown $USER2 /home/$USER1
+chown $USER1 /home/$USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/ansible/shared.yml
new file mode 100644
index 0000000..945ed7e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/ansible/shared.yml
@@ -0,0 +1,31 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Get all local users from /etc/passwd
+ ansible.builtin.getent:
+ database: passwd
+ split: ':'
+
+- name: Create local_users variable from the getent output
+ ansible.builtin.set_fact:
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+
+- name: Test for existence home directories to avoid creating them, but only fixing group ownership
+ ansible.builtin.stat:
+ path: '{{ item.value[4] }}'
+ register: path_exists
+ loop: '{{ local_users }}'
+ when:
+ - item.value[2]|int >= {{{ uid_min }}}
+ - item.value[2]|int != 65534
+
+- name: Ensure interactive local users are the group-owners of their respective home directories
+ ansible.builtin.file:
+ path: '{{ item.0.value[4] }}'
+ mode: '0700'
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
+ when:
+ - item.1.stat is defined and item.1.stat.exists
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/bash/shared.sh
new file mode 100644
index 0000000..4ebc674
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) system("chmod -f 700 "$6) }' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml
new file mode 100644
index 0000000..0cb261e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml
@@ -0,0 +1,51 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("All Interactive User Home Directories Must Have mode 0750 Or Less Permissive") }}}
+ <criteria>
+ <criterion test_ref="test_file_permissions_home_directories"
+ comment="All interactive user's Home Directories must have proper permissions"/>
+ </criteria>
+ </definition>
+
+ <!-- For detailed comments about logic used in this OVAL, check the
+ "file_ownership_home_directories" rule. -->
+ <unix:password_object id="object_file_permissions_home_directories_objects" version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_file_permissions_home_directories_interactive_uids</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_file_permissions_home_directories_interactive_uids" version="1">
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+ </unix:password_state>
+
+ <!-- #### prepare for test_file_permissions_home_directories #### -->
+ <local_variable id="var_file_permissions_home_directories_dirs" datatype="string" version="1"
+ comment="Variable including all home dirs from interactive users">
+ <object_component item_field="home_dir" object_ref="object_file_permissions_home_directories_objects"/>
+ </local_variable>
+
+ <!-- #### creation of object #### -->
+ <unix:file_object id="object_file_permissions_home_directories_dirs" version="1">
+ <unix:path var_ref="var_file_permissions_home_directories_dirs" var_check="at least one"/>
+ <unix:filename xsi:nil="true"/>
+ </unix:file_object>
+
+ <!-- #### creation of state #### -->
+ <unix:file_state id="state_file_permissions_home_directories_dirs" version="1" operator='AND'>
+ <unix:type operation="equals">directory</unix:type>
+ <unix:suid datatype="boolean">false</unix:suid>
+ <unix:sgid datatype="boolean">false</unix:sgid>
+ <unix:sticky datatype="boolean">false</unix:sticky>
+ <unix:gwrite datatype="boolean">false</unix:gwrite>
+ <unix:oread datatype="boolean">false</unix:oread>
+ <unix:owrite datatype="boolean">false</unix:owrite>
+ <unix:oexec datatype="boolean">false</unix:oexec>
+ </unix:file_state>
+
+ <!-- #### creation of test #### -->
+ <unix:file_test id="test_file_permissions_home_directories" check="all" check_existence="any_exist"
+ version="1" comment="All home directories have proper permissions">
+ <unix:object object_ref="object_file_permissions_home_directories_dirs"/>
+ <unix:state state_ref="state_file_permissions_home_directories_dirs"/>
+ </unix:file_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/acceptable_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/acceptable_permission.pass.sh
new file mode 100644
index 0000000..aaf939e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/acceptable_permission.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+chmod 750 /home/$USER
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/expected_permissions.pass.sh
new file mode 100644
index 0000000..5dfd426
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/expected_permissions.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+chmod 700 /home/$USER
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/home_dirs_absent.pass.sh
new file mode 100644
index 0000000..af24025
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/home_dirs_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/interactive_users_absent.pass.sh
new file mode 100644
index 0000000..ed34f09
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/lenient_permission.fail.sh
new file mode 100644
index 0000000..2f337d2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/lenient_permission.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+chmod 755 /home/$USER
diff --git a/ssg/constants.py b/ssg/constants.py
index e2d3077..64e2712 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -380,6 +380,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
# Application constants
+DEFAULT_GID_MIN = 1000
DEFAULT_UID_MIN = 1000
DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2'
DEFAULT_DCONF_GDM_DIR = 'gdm.d'
diff --git a/ssg/products.py b/ssg/products.py
index 25178b7..e410e06 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -7,6 +7,7 @@ from glob import glob
from .build_cpe import ProductCPEs
from .constants import (product_directories,
+ DEFAULT_GID_MIN,
DEFAULT_UID_MIN,
DEFAULT_GRUB2_BOOT_PATH,
DEFAULT_DCONF_GDM_DIR,
@@ -39,6 +40,9 @@ def _get_implied_properties(existing_properties):
if pkg_manager in PKG_MANAGER_TO_CONFIG_FILE:
result["pkg_manager_config_file"] = PKG_MANAGER_TO_CONFIG_FILE[pkg_manager]
+ if "gid_min" not in existing_properties:
+ result["gid_min"] = DEFAULT_GID_MIN
+
if "uid_min" not in existing_properties:
result["uid_min"] = DEFAULT_UID_MIN

View File

@ -0,0 +1,507 @@
From 5ec53805a4aaf04752400eef826ff49222c0a3ba Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Wed, 20 Oct 2021 16:17:01 +0200
Subject: [PATCH 1/3] OVAL, tests and remediation for the rule:
accounts_user_interactive_home_directory_defined
---
.../ansible/shared.yml | 24 +++++++++++++
.../bash/shared.sh | 9 +++++
.../oval/shared.xml | 36 +++++++++++++++++++
.../tests/home_dir_all_empty.fail.sh | 6 ++++
.../tests/home_dir_not_exclusive.fail.sh | 6 ++++
.../tests/home_dir_one_empty.fail.sh | 8 +++++
.../tests/home_dir_properly_defined.pass.sh | 4 +++
.../tests/home_dir_root.fail.sh | 6 ++++
.../tests/interactive_users_absent.pass.sh | 4 +++
9 files changed, 103 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_all_empty.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_not_exclusive.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_one_empty.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_properly_defined.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_root.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/interactive_users_absent.pass.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
new file mode 100644
index 00000000000..fc9b780daa8
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
@@ -0,0 +1,24 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Get all local users from /etc/passwd
+ ansible.builtin.getent:
+ database: passwd
+ split: ':'
+
+- name: Create local_users variable from the getent output
+ ansible.builtin.set_fact:
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+
+- name: Ensure interactive users have a home directory defined
+ ansible.builtin.user:
+ name: '{{ item.key }}'
+ home: '/home/{{ item.key }}'
+ create_home: no
+ loop: '{{ local_users }}'
+ when:
+ - item.value[2]|int >= {{{ uid_min }}}
+ - item.value[2]|int != 65534
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
new file mode 100644
index 00000000000..23b0a85aa6a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+for user in `awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1 }' /etc/passwd`; do
+ sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd;
+done
\ No newline at end of file
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/oval/shared.xml
new file mode 100644
index 00000000000..5efb84ab2cf
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/oval/shared.xml
@@ -0,0 +1,36 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("All Interactive Users Must Have A Home Directory Defined") }}}
+ <criteria>
+ <criterion test_ref="test_accounts_user_interactive_home_directory_defined"
+ comment="All Interactive Users Must Have A Home Directory Defined"/>
+ </criteria>
+ </definition>
+
+ <!-- For detailed comments about logic used in this OVAL, check the
+ "file_ownership_home_directories" rule.
+ #### creation of object #### -->
+ <unix:password_object id="object_accounts_user_interactive_home_directory_defined_objects"
+ version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_accounts_user_interactive_home_directory_defined_uids</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_accounts_user_interactive_home_directory_defined_uids"
+ version="1">
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+ </unix:password_state>
+
+ <!-- #### creation of state #### -->
+ <unix:password_state id="state_accounts_user_interactive_home_directory_defined" version="1">
+ <unix:home_dir operation="pattern match">^\/\w*\/\w{1,}[\/\w]*$</unix:home_dir>
+ </unix:password_state>
+
+ <!-- #### creation of test #### -->
+ <unix:password_test id="test_accounts_user_interactive_home_directory_defined" check="all"
+ check_existence="any_exist" version="1"
+ comment="All Interactive Users Have A Home Directory Defined">
+ <unix:object object_ref="object_accounts_user_interactive_home_directory_defined_objects"/>
+ <unix:state state_ref="state_accounts_user_interactive_home_directory_defined"/>
+ </unix:password_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_all_empty.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_all_empty.fail.sh
new file mode 100644
index 00000000000..4bc9e10a21c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_all_empty.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+
+sed -i "s/\(.*:x:[0-9]\{4,\}:[0-9]*:.*:\).*\(:.*\)$/\1\2/g" /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_not_exclusive.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_not_exclusive.fail.sh
new file mode 100644
index 00000000000..5c905e03791
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_not_exclusive.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+
+sed -i 's/\(.*:x:[0-9]\{4,\}:[0-9]*:.*:\).*\(:.*\)$/\1\/tmp\2/g' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_one_empty.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_one_empty.fail.sh
new file mode 100644
index 00000000000..00d37799c77
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_one_empty.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+useradd -M $USER1
+useradd -M $USER2
+
+sed -i "s/\($USER1:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\2/g" /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_properly_defined.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_properly_defined.pass.sh
new file mode 100644
index 00000000000..7c181afdd4b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_properly_defined.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_root.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_root.fail.sh
new file mode 100644
index 00000000000..16bb94477bc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_root.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+
+sed -i "s/\($USER:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/\2/g" /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/interactive_users_absent.pass.sh
new file mode 100644
index 00000000000..ed34f0940a7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
From 47cf69c176ce8e7ec1922bf8cdcd1d35b02552c9 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Tue, 26 Oct 2021 14:39:11 +0200
Subject: [PATCH 2/3] OVAL, tests and remediation for the rule:
accounts_user_interactive_home_directory_exists
---
.../bash/shared.sh | 2 +-
.../ansible/shared.yml | 24 +++++
.../bash/shared.sh | 9 ++
.../oval/shared.xml | 91 +++++++++++++++++++
.../tests/home_dir_present.pass.sh | 10 ++
.../tests/home_dirs_all_absent.fail.sh | 6 ++
.../tests/home_dirs_one_absent.fail.sh | 7 ++
.../tests/interactive_users_absent.pass.sh | 4 +
8 files changed, 152 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dir_present.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_all_absent.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_one_absent.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/interactive_users_absent.pass.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
index 23b0a85aa6a..94f8a579f1f 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
@@ -6,4 +6,4 @@
for user in `awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1 }' /etc/passwd`; do
sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd;
-done
\ No newline at end of file
+done
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
new file mode 100644
index 00000000000..e7acc477d25
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
@@ -0,0 +1,24 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Get all local users from /etc/passwd
+ ansible.builtin.getent:
+ database: passwd
+ split: ':'
+
+- name: Create local_users variable from the getent output
+ ansible.builtin.set_fact:
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+
+- name: Ensure interactive users have a home directory defined
+ ansible.builtin.user:
+ name: '{{ item.key }}'
+ home: '/home/{{ item.key }}'
+ create_home: yes
+ loop: '{{ local_users }}'
+ when:
+ - item.value[2]|int >= {{{ uid_min }}}
+ - item.value[2]|int != 65534
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/bash/shared.sh
new file mode 100644
index 00000000000..044b650f103
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+for user in $(awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1}' /etc/passwd); do
+ mkhomedir_helper $user 0077;
+done
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
new file mode 100644
index 00000000000..0a5b313f5b4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
@@ -0,0 +1,91 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("All Interactive Users Home Directories Must Exist") }}}
+ <criteria operator="OR">
+ <criterion test_ref="test_accounts_user_interactive_home_directory_exists"
+ comment="All Interactive Users Home Directories Must Exist"/>
+ <criterion test_ref="test_accounts_user_interactive_home_directory_exists_users"
+ comment="Interactive users don't exist on the system"/>
+ </criteria>
+ </definition>
+
+ <!-- #### prepare a password object for the two tests in this rule #### -->
+ <unix:password_object id="object_accounts_user_interactive_home_directory_exists_objects"
+ version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_accounts_user_interactive_home_directory_exists_uids</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_accounts_user_interactive_home_directory_exists_uids" version="1">
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+ </unix:password_state>
+
+ <!-- #### create a local variable composed by the list of home dirs from /etc/passwd #### -->
+ <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_list"
+ datatype="string" version="1"
+ comment="Variable including all home dirs from interactive users">
+ <object_component item_field="home_dir"
+ object_ref="object_accounts_user_interactive_home_directory_exists_objects"/>
+ </local_variable>
+
+ <!-- #### create a local variable composed by the number of home dirs from /etc/passwd #### -->
+ <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_count"
+ datatype="int" version="1"
+ comment="Variable including expected count of home dirs present on the system">
+ <count>
+ <variable_component var_ref="var_accounts_user_interactive_home_directory_exists_dirs_list"/>
+ </count>
+ </local_variable>
+
+ <!-- #### create a file_object to check existence of home dirs on file system #### -->
+ <unix:file_object id="object_accounts_user_interactive_home_directory_exists_dirs_fs"
+ version="1">
+ <unix:path var_ref="var_accounts_user_interactive_home_directory_exists_dirs_list"
+ var_check="at least one"/>
+ <unix:filename xsi:nil="true"/>
+ </unix:file_object>
+
+ <!-- #### create a local variable with the number of home dirs present on file system #### -->
+ <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_count_fs"
+ datatype="int" version="1"
+ comment="Variable including number of home dirs present on file system">
+ <count>
+ <object_component item_field="path"
+ object_ref="object_accounts_user_interactive_home_directory_exists_dirs_fs"/>
+ </count>
+ </local_variable>
+
+ <!-- #### create a variable object with count of home dirs from file system #### -->
+ <ind:variable_object id="object_accounts_user_interactive_home_directory_exists_dirs_count_fs"
+ version="1">
+ <ind:var_ref>var_accounts_user_interactive_home_directory_exists_dirs_count_fs</ind:var_ref>
+ </ind:variable_object>
+
+ <!-- #### create a variable state with count of home dirs from /etc/passwd #### -->
+ <ind:variable_state id="state_accounts_user_interactive_home_directory_exists_dirs_count_pw"
+ version="1">
+ <ind:value datatype="int" operation="equals" var_check="at least one"
+ var_ref="var_accounts_user_interactive_home_directory_exists_dirs_count"/>
+ </ind:variable_state>
+
+ <!-- #### test_accounts_user_interactive_home_directory_exists #### -->
+ <ind:variable_test id="test_accounts_user_interactive_home_directory_exists" check="all"
+ check_existence="at_least_one_exists" version="1"
+ comment="Check the existence of interactive users.">
+ <ind:object object_ref="object_accounts_user_interactive_home_directory_exists_dirs_count_fs"/>
+ <ind:state state_ref="state_accounts_user_interactive_home_directory_exists_dirs_count_pw"/>
+ </ind:variable_test>
+
+ <!-- #### create of variable object with count of home dirs from /etc/passwd #### -->
+ <ind:variable_object id="object_accounts_user_interactive_home_directory_exists_dirs_count_pw"
+ version="1">
+ <ind:var_ref>var_accounts_user_interactive_home_directory_exists_dirs_count</ind:var_ref>
+ </ind:variable_object>
+
+ <!-- #### test_accounts_user_interactive_home_directory_exists_users #### -->
+ <ind:variable_test id="test_accounts_user_interactive_home_directory_exists_users" check="all"
+ check_existence="none_exist" version="1"
+ comment="Check the existence of interactive users.">
+ <ind:object object_ref="object_accounts_user_interactive_home_directory_exists_dirs_count_pw"/>
+ </ind:variable_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dir_present.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dir_present.pass.sh
new file mode 100644
index 00000000000..d5434cbe4f5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dir_present.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+
+# This is to make sure that any possible user create in the test environment has also
+# a home dir created on the system.
+for user in $(awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1}' /etc/passwd); do
+ mkhomedir_helper $user 0077;
+done
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_all_absent.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_all_absent.fail.sh
new file mode 100644
index 00000000000..af240252de3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_all_absent.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_one_absent.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_one_absent.fail.sh
new file mode 100644
index 00000000000..5bce517215c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_one_absent.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -M $USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/interactive_users_absent.pass.sh
new file mode 100644
index 00000000000..ed34f0940a7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
From 0d6a5e588d71e927291641cbf2a23259995f0b2d Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 8 Nov 2021 15:09:12 +0100
Subject: [PATCH 3/3] Improved the remediation and rule description
Included conditional on remediation to make sure that
already compliant home directories are skipped.
---
.../ansible/shared.yml | 3 ++-
.../bash/shared.sh | 7 +++++--
.../rule.yml | 5 +++++
.../tests/home_dir_defined_out_home.pass.sh | 4 ++++
.../ansible/shared.yml | 3 +--
5 files changed, 17 insertions(+), 5 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_defined_out_home.pass.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
index fc9b780daa8..13fbdd1ca44 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
@@ -13,7 +13,7 @@
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
-- name: Ensure interactive users have a home directory defined
+- name: Ensure interactive users have an exclusive home directory defined
ansible.builtin.user:
name: '{{ item.key }}'
home: '/home/{{ item.key }}'
@@ -22,3 +22,4 @@
when:
- item.value[2]|int >= {{{ uid_min }}}
- item.value[2]|int != 65534
+ - not item.value[4] | regex_search('^\/\w*\/\w{1,}')
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
index 94f8a579f1f..7fac61d4892 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
@@ -4,6 +4,9 @@
# complexity = low
# disruption = low
-for user in `awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1 }' /etc/passwd`; do
- sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd;
+for user in $(awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1 }' /etc/passwd); do
+ # This follows the same logic of evaluation of home directories as used in OVAL.
+ if ! grep -q $user /etc/passwd | cut -d: -f6 | grep '^\/\w*\/\w\{1,\}'; then
+ sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd;
+ fi
done
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
index 20d26032338..b58164c5403 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
@@ -8,6 +8,11 @@ description: |-
Assign home directories to all interactive users that currently do not
have a home directory assigned.
+ This rule checks if the home directory is properly defined in a folder which has
+ at least one parent folder, like "user" in "/home/user" or "/remote/users/user".
+ Therefore, this rule will report a finding for home directories like <tt>/users</tt>,
+ <tt>/tmp</tt> or <tt>/</tt>.
+
rationale: |-
If local interactive users are not assigned a valid home directory, there is no
place for the storage and control of files they should own.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_defined_out_home.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_defined_out_home.pass.sh
new file mode 100644
index 00000000000..c7100f304ca
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_defined_out_home.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M -d /data/$USER $USER
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
index e7acc477d25..84382a7f488 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
@@ -13,10 +13,9 @@
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
-- name: Ensure interactive users have a home directory defined
+- name: Ensure interactive users have a home directory exists
ansible.builtin.user:
name: '{{ item.key }}'
- home: '/home/{{ item.key }}'
create_home: yes
loop: '{{ local_users }}'
when:

View File

@ -0,0 +1,662 @@
commit dc273bb872cc53f2d52af4396f4d3bba0acc178f
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Thu Feb 24 17:30:42 2022 +0100
Manual edited patch scap-security-guide-0.1.59-BZ1884687C-PR_7824.patch.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml
new file mode 100644
index 0000000..ff41e19
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml
@@ -0,0 +1,32 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Get all local users from /etc/passwd
+ ansible.builtin.getent:
+ database: passwd
+ split: ':'
+
+- name: Create local_users variable from the getent output
+ ansible.builtin.set_fact:
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+
+- name: Test for existence home directories to avoid creating them, but only fixing ownership
+ ansible.builtin.stat:
+ path: '{{ item.value[4] }}'
+ register: path_exists
+ loop: '{{ local_users }}'
+ when:
+ - item.value[2]|int >= {{{ gid_min }}}
+ - item.value[2]|int != 65534
+
+- name: Ensure interactive local users are the owners of their respective home directories
+ ansible.builtin.file:
+ path: '{{ item.0.value[4] }}'
+ group: '{{ item.0.value[2] }}'
+ recurse: yes
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
+ when:
+ - item.1.stat is defined and item.1.stat.exists
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh
new file mode 100644
index 0000000..e392d2f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh
@@ -0,0 +1,14 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+for user in $(awk -F':' '{ if ($4 >= {{{ gid_min }}} && $4 != 65534) print $1 }' /etc/passwd); do
+ home_dir=$(getent passwd $user | cut -d: -f6)
+ group=$(getent passwd $user | cut -d: -f4)
+ # Only update the group-ownership when necessary. This will avoid changing the inode timestamp
+ # when the group is already defined as expected, therefore not impacting in possible integrity
+ # check systems that also check inodes timestamps.
+ find $home_dir -not -group $group -exec chgrp -f $group {} \;
+done
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
new file mode 100644
index 0000000..1fd016a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
@@ -0,0 +1,52 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User") }}}
+ <criteria>
+ <criterion test_ref="test_accounts_users_home_files_groupownership"
+ comment="All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User"/>
+ </criteria>
+ </definition>
+
+ <unix:password_object id="object_accounts_users_home_files_groupownership_objects" version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_accounts_users_home_files_groupownership_interactive_gids</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_accounts_users_home_files_groupownership_interactive_gids" version="1">
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:user_id>
+ </unix:password_state>
+
+ <local_variable id="var_accounts_users_home_files_groupownership_dirs" datatype="string" version="1"
+ comment="Variable including all home dirs from interactive users">
+ <object_component item_field="home_dir"
+ object_ref="object_accounts_users_home_files_groupownership_objects"/>
+ </local_variable>
+
+ <local_variable id="var_accounts_users_home_files_groupownership_gids" datatype="int" version="1"
+ comment="List of interactive users gids">
+ <object_component item_field="group_id"
+ object_ref="object_accounts_users_home_files_groupownership_objects"/>
+ </local_variable>
+
+ <!-- #### creation of object #### -->
+ <unix:file_object id="object_accounts_users_home_files_groupownership_dirs" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
+ recurse_file_system="local"/>
+ <unix:path var_ref="var_accounts_users_home_files_groupownership_dirs" var_check="at least one"/>
+ <unix:filename operation="pattern match">.*</unix:filename>
+ </unix:file_object>
+
+ <!-- #### creation of state #### -->
+ <unix:file_state id="state_accounts_users_home_files_groupownership_gids" version="1">
+ <unix:group_id datatype="int" var_check="only one"
+ var_ref="var_accounts_users_home_files_groupownership_gids"/>
+ </unix:file_state>
+
+ <!-- #### creation of test #### -->
+ <unix:file_test id="test_accounts_users_home_files_groupownership" check="all"
+ check_existence="any_exist" version="1"
+ comment="All home directories files are group-owned by a local interactive user">
+ <unix:object object_ref="object_accounts_users_home_files_groupownership_dirs"/>
+ <unix:state state_ref="state_accounts_users_home_files_groupownership_gids"/>
+ </unix:file_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
index 1c0f93a..31a0f1d 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
@@ -10,6 +10,9 @@ description: |-
local interactive users files and directories, use the following command:
<pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i>/<i>FILE_DIR</i></pre>
+ This rule ensures every file or directory under the home directory related
+ to an interactive user is group-owned by an interactive user.
+
rationale: |-
If a local interactive users files are group-owned by a group of which the
user is not a member, unintended users may be able to access them.
@@ -33,3 +36,9 @@ ocil: |-
group-owned by a group the user is a member of, run the
following command:
<pre>$ sudo ls -lLR /home/<i>USER</i></pre>
+
+warnings:
+ - general: |-
+ Due to OVAL limitation, this rule can report a false negative in a
+ specific situation where two interactive users swap the group-ownership
+ of folders or files in their respective home directories.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh
new file mode 100644
index 0000000..8538430
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chgrp -f $USER /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh
new file mode 100644
index 0000000..af24025
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh
new file mode 100644
index 0000000..5bce517
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -M $USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh
new file mode 100644
index 0000000..ed34f09
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh
new file mode 100644
index 0000000..f105723
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chgrp 2 /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh
new file mode 100644
index 0000000..00fa481
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chgrp 10005 /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh
new file mode 100644
index 0000000..052aa7c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+echo "$USER1" > /home/$USER1/$USER1.txt
+echo "$USER2" > /home/$USER2/$USER2.txt
+# Swap the ownership of files in two home directories
+# WARNING: This test scenario will report a false negative, as explained in the
+# warning section of this rule.
+chgrp -f $USER2 /home/$USER1/$USER1.txt
+chgrp -f $USER1 /home/$USER2/$USER2.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml
new file mode 100644
index 0000000..40a0579
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml
@@ -0,0 +1,32 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Get all local users from /etc/passwd
+ ansible.builtin.getent:
+ database: passwd
+ split: ':'
+
+- name: Create local_users variable from the getent output
+ ansible.builtin.set_fact:
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+
+- name: Test for existence home directories to avoid creating them, but only fixing ownership
+ ansible.builtin.stat:
+ path: '{{ item.value[4] }}'
+ register: path_exists
+ loop: '{{ local_users }}'
+ when:
+ - item.value[1]|int >= {{{ uid_min }}}
+ - item.value[1]|int != 65534
+
+- name: Ensure interactive local users are the owners of their respective home directories
+ ansible.builtin.file:
+ path: '{{ item.0.value[4] }}'
+ owner: '{{ item.0.value[1] }}'
+ recurse: yes
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
+ when:
+ - item.1.stat is defined and item.1.stat.exists
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh
new file mode 100644
index 0000000..236c800
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+for user in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $1 }' /etc/passwd); do
+ home_dir=$(getent passwd $user | cut -d: -f6)
+ # Only update the ownership when necessary. This will avoid changing the inode timestamp
+ # when the owner is already defined as expected, therefore not impacting in possible integrity
+ # check systems that also check inodes timestamps.
+ find $home_dir -not -user $user -exec chown -f $user {} \;
+done
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml
new file mode 100644
index 0000000..1850cfb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml
@@ -0,0 +1,52 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("All User Files and Directories In The Home Directory Must Have a Valid Owner") }}}
+ <criteria>
+ <criterion test_ref="test_accounts_users_home_files_ownership"
+ comment="All User Files and Directories In The Home Directory Must Have a Valid Owner"/>
+ </criteria>
+ </definition>
+
+ <unix:password_object id="object_accounts_users_home_files_ownership_objects" version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_accounts_users_home_files_ownership_interactive_uids</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_accounts_users_home_files_ownership_interactive_uids" version="1">
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+ </unix:password_state>
+
+ <local_variable id="var_accounts_users_home_files_ownership_dirs" datatype="string" version="1"
+ comment="Variable including all home dirs from interactive users">
+ <object_component item_field="home_dir"
+ object_ref="object_accounts_users_home_files_ownership_objects"/>
+ </local_variable>
+
+ <local_variable id="var_accounts_users_home_files_ownership_uids" datatype="int" version="1"
+ comment="List of interactive users uids">
+ <object_component item_field="user_id"
+ object_ref="object_accounts_users_home_files_ownership_objects"/>
+ </local_variable>
+
+ <!-- #### creation of object #### -->
+ <unix:file_object id="object_accounts_users_home_files_ownership_dirs" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
+ recurse_file_system="local"/>
+ <unix:path var_ref="var_accounts_users_home_files_ownership_dirs" var_check="at least one"/>
+ <unix:filename operation="pattern match">.*</unix:filename>
+ </unix:file_object>
+
+ <!-- #### creation of state #### -->
+ <unix:file_state id="state_accounts_users_home_files_ownership_uids" version="1">
+ <unix:user_id datatype="int" var_check="only one"
+ var_ref="var_accounts_users_home_files_ownership_uids"/>
+ </unix:file_state>
+
+ <!-- #### creation of test #### -->
+ <unix:file_test id="test_accounts_users_home_files_ownership" check="all"
+ check_existence="any_exist" version="1"
+ comment="All home directories files are owned by a local interactive user">
+ <unix:object object_ref="object_accounts_users_home_files_ownership_dirs"/>
+ <unix:state state_ref="state_accounts_users_home_files_ownership_uids"/>
+ </unix:file_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
index 13f6bfe..5bfb388 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
@@ -10,6 +10,9 @@ description: |-
directories, use the following command:
<pre>$ sudo chown -R <i>USER</i> /home/<i>USER</i></pre>
+ This rule ensures every file or directory under the home directory related
+ to an interactive user is owned by an interactive user.
+
rationale: |-
If local interactive users do not own the files in their directories,
unauthorized users may be able to access them. Additionally, if files are not
@@ -34,3 +37,9 @@ ocil: |-
To verify all files and directories in interactive users home directory
are owned by the user, run the following command:
<pre>$ sudo ls -lLR /home/<i>USER</i></pre>
+
+warnings:
+ - general: |-
+ Due to OVAL limitation, this rule can report a false negative in a
+ specific situation where two interactive users swap the ownership of
+ folders or files in their respective home directories.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh
new file mode 100644
index 0000000..da68cb4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chown $USER /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh
new file mode 100644
index 0000000..af24025
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh
new file mode 100644
index 0000000..5bce517
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -M $USER2
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh
new file mode 100644
index 0000000..ed34f09
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh
new file mode 100644
index 0000000..59c46a9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chown 2 /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh
new file mode 100644
index 0000000..e0f5514
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chown 10005 /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh
new file mode 100644
index 0000000..1174ec6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+echo "$USER1" > /home/$USER1/$USER1.txt
+echo "$USER2" > /home/$USER2/$USER2.txt
+# Swap the ownership of files in two home directories
+# WARNING: This test scenario will report a false negative, as explained in the
+# warning section of this rule.
+chown -f $USER2 /home/$USER1/$USER1.txt
+chown -f $USER1 /home/$USER2/$USER2.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml
new file mode 100644
index 0000000..9473710
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml
@@ -0,0 +1,33 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Get all local users from /etc/passwd
+ ansible.builtin.getent:
+ database: passwd
+ split: ':'
+
+- name: Create local_users variable from the getent output
+ ansible.builtin.set_fact:
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+
+- name: Test for existence home directories to avoid creating them, but only fixing group ownership
+ ansible.builtin.stat:
+ path: '{{ item.value[4] }}'
+ register: path_exists
+ loop: '{{ local_users }}'
+ when:
+ - item.value[2]|int >= {{{ uid_min }}}
+ - item.value[2]|int != 65534
+
+- name: Ensure interactive local users are the group-owners of their respective home directories
+ ansible.builtin.file:
+ path: '{{ item.0.value[4] }}'
+ mode: 'g-w,o=-'
+ follow: no
+ recurse: yes
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
+ when:
+ - item.1.stat is defined and item.1.stat.exists
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh
new file mode 100644
index 0000000..186d55d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+for home_dir in $(awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $6 }' /etc/passwd); do
+ # Only update the permissions when necessary. This will avoid changing the inode timestamp when
+ # the permission is already defined as expected, therefore not impacting in possible integrity
+ # check systems that also check inodes timestamps.
+ find $home_dir -perm /027 -exec chmod g-w,o=- {} \;
+done
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
new file mode 100644
index 0000000..d3db46d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
@@ -0,0 +1,52 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive") }}}
+ <criteria>
+ <criterion test_ref="test_accounts_users_home_files_permissions"
+ comment="All files under interactive user's Home Directories must have proper permissions"/>
+ </criteria>
+ </definition>
+
+ <!-- For detailed comments about logic used in this OVAL, check the
+ "file_ownership_home_directories" rule. -->
+ <unix:password_object id="object_accounts_users_home_files_permissions_objects" version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_accounts_users_home_files_permissions_interactive_uids</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_accounts_users_home_files_permissions_interactive_uids" version="1">
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+ </unix:password_state>
+
+ <!-- #### prepare for test_file_permissions_home_directories #### -->
+ <local_variable id="var_accounts_users_home_files_permissions_dirs" datatype="string" version="1"
+ comment="Variable including all home dirs from interactive users">
+ <object_component item_field="home_dir" object_ref="object_accounts_users_home_files_permissions_objects"/>
+ </local_variable>
+
+ <!-- #### creation of object #### -->
+ <unix:file_object id="object_accounts_users_home_files_permissions_dirs" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
+ recurse_file_system="local"/>
+ <unix:path var_ref="var_accounts_users_home_files_permissions_dirs" var_check="at least one"/>
+ <unix:filename operation="pattern match">.*</unix:filename>
+ </unix:file_object>
+
+ <!-- #### creation of state #### -->
+ <unix:file_state id="state_accounts_users_home_files_permissions_dirs" version="1" operator='AND'>
+ <unix:suid datatype="boolean">false</unix:suid>
+ <unix:sgid datatype="boolean">false</unix:sgid>
+ <unix:sticky datatype="boolean">false</unix:sticky>
+ <unix:gwrite datatype="boolean">false</unix:gwrite>
+ <unix:oread datatype="boolean">false</unix:oread>
+ <unix:owrite datatype="boolean">false</unix:owrite>
+ <unix:oexec datatype="boolean">false</unix:oexec>
+ </unix:file_state>
+
+ <!-- #### creation of test #### -->
+ <unix:file_test id="test_accounts_users_home_files_permissions" check="all" check_existence="any_exist"
+ version="1" comment="All home directories have proper permissions">
+ <unix:object object_ref="object_accounts_users_home_files_permissions_dirs"/>
+ <unix:state state_ref="state_accounts_users_home_files_permissions_dirs"/>
+ </unix:file_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh
new file mode 100644
index 0000000..3561847
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chmod -Rf 750 /home/$USER/.*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh
new file mode 100644
index 0000000..8ed7fa2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chmod -Rf 700 /home/$USER/.*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh
new file mode 100644
index 0000000..af24025
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh
new file mode 100644
index 0000000..ed34f09
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh
new file mode 100644
index 0000000..b561671
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chmod -Rf 700 /home/$USER/.*
+chmod -f o+r /home/$USER/$USER.txt
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh
new file mode 100644
index 0000000..d7811bc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/.init_file
+chmod -Rf 700 /home/$USER/.*
+chmod -f o+r /home/$USER/.init_file
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_uid.fail.sh
similarity index 100%
rename from linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh
rename to linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_uid.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_uid.fail.sh
similarity index 100%
rename from linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh
rename to linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_uid.fail.sh

View File

@ -0,0 +1,851 @@
From 55ec5c49441f6b99914eef15c6cc559910311934 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 5 Nov 2021 14:02:09 +0100
Subject: [PATCH 1/4] OVAL, tests and remediation for rule:
accounts_user_dot_user_ownership
---
.../ansible/shared.yml | 10 ++++
.../bash/shared.sh | 7 +++
.../oval/shared.xml | 52 +++++++++++++++++++
.../accounts_user_dot_user_ownership/rule.yml | 9 ++++
.../tests/expected_owner.pass.sh | 6 +++
.../tests/home_dirs_all_absent.pass.sh | 6 +++
.../home_dirs_one_absent_owner_ok.pass.sh | 10 ++++
.../tests/interactive_users_absent.pass.sh | 4 ++
.../tests/no_dot_file_ignored.pass.sh | 6 +++
.../tests/unexpected_owner_system_uid.fail.sh | 6 +++
.../unexpected_owner_unknown_uid.fail.sh | 6 +++
.../tests/warning_swapped_owners.pass.sh | 15 ++++++
12 files changed, 137 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
new file mode 100644
index 00000000000..3801e0cfdec
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
@@ -0,0 +1,10 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Ensure interactive local users are the owners of their respective initialization files
+ ansible.builtin.command:
+ cmd: |
+ awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
new file mode 100644
index 00000000000..f362a2656aa
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
new file mode 100644
index 00000000000..fb12ce73b23
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
@@ -0,0 +1,52 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("User Initialization Files Must Be Owned By the Primary User") }}}
+ <criteria>
+ <criterion test_ref="test_accounts_user_dot_user_ownership"
+ comment="User Initialization Files Must Be Owned By the Primary User"/>
+ </criteria>
+ </definition>
+
+ <unix:password_object id="object_accounts_user_dot_user_ownership_objects" version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_accounts_user_dot_user_ownership_interactive_uids</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_accounts_user_dot_user_ownership_interactive_uids" version="1">
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+ </unix:password_state>
+
+ <local_variable id="var_accounts_user_dot_user_ownership_dirs" datatype="string" version="1"
+ comment="Variable including all home dirs from interactive users">
+ <object_component item_field="home_dir"
+ object_ref="object_accounts_user_dot_user_ownership_objects"/>
+ </local_variable>
+
+ <local_variable id="var_accounts_user_dot_user_ownership_uids" datatype="int" version="1"
+ comment="List of interactive users uids">
+ <object_component item_field="user_id"
+ object_ref="object_accounts_user_dot_user_ownership_objects"/>
+ </local_variable>
+
+ <!-- #### creation of object #### -->
+ <unix:file_object id="object_accounts_user_dot_user_ownership_init_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
+ recurse_file_system="local"/>
+ <unix:path var_ref="var_accounts_user_dot_user_ownership_dirs" var_check="at least one"/>
+ <unix:filename operation="pattern match">^\..*</unix:filename>
+ </unix:file_object>
+
+ <!-- #### creation of state #### -->
+ <unix:file_state id="state_accounts_user_dot_user_ownership_uids" version="1">
+ <unix:user_id datatype="int" var_check="only one"
+ var_ref="var_accounts_user_dot_user_ownership_uids"/>
+ </unix:file_state>
+
+ <!-- #### creation of test #### -->
+ <unix:file_test id="test_accounts_user_dot_user_ownership" check="all"
+ check_existence="any_exist" version="1"
+ comment="All user initialization files are owned by a local interactive user">
+ <unix:object object_ref="object_accounts_user_dot_user_ownership_init_files"/>
+ <unix:state state_ref="state_accounts_user_dot_user_ownership_uids"/>
+ </unix:file_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
index 37efb159c08..ec75aa01f12 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
@@ -9,6 +9,9 @@ description: |-
the primary owner with the following command:
<pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre>
+ This rule ensures every initialization file related to an interactive user
+ is owned by an interactive user.
+
rationale: |-
Local initialization files are used to configure the user's shell environment
upon logon. Malicious modification of these files could compromise accounts upon
@@ -33,3 +36,9 @@ ocil: |-
primary user, run the following command:
<pre>$ sudo ls -al /home/<i>USER</i>/.*</pre>
The user initialization files should be owned by <i>USER</i>.
+
+warnings:
+ - general: |-
+ Due to OVAL limitation, this rule can report a false negative in a
+ specific situation where two interactive users swap the ownership of
+ their respective initialization files.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
new file mode 100644
index 00000000000..3d30238225e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+touch /home/$USER/.bashrc
+chown $USER /home/$USER/.bashrc
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
new file mode 100644
index 00000000000..af240252de3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
new file mode 100644
index 00000000000..840477d2c83
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -M $USER2
+
+touch /home/$USER1/.bashrc
+chown $USER1 /home/$USER1/.bashrc
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
new file mode 100644
index 00000000000..ed34f0940a7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
new file mode 100644
index 00000000000..9292a46b3b2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+touch /home/$USER/nodotfile
+chown 2 /home/$USER/nodotfile
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
new file mode 100644
index 00000000000..0373eb6a5f6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+touch /home/$USER/.bashrc
+chown 2 /home/$USER/.bashrc
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
new file mode 100644
index 00000000000..da7f50ce905
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+touch /home/$USER/.bashrc
+chown 10005 /home/$USER/.bashrc
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
new file mode 100644
index 00000000000..b4a95ae2242
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+touch /home/$USER1/.bashrc
+touch /home/$USER2/.bashrc
+
+# Swap the ownership of files in two home directories
+# WARNING: This test scenario will report a false negative, as explained in the
+# warning section of this rule.
+chown -f $USER2 /home/$USER1/.bashrc
+chown -f $USER1 /home/$USER2/.bashrc
From cc6318c8afc898190a090058fbdfbdfc741d4d85 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 5 Nov 2021 14:05:19 +0100
Subject: [PATCH 2/4] OVAL, tests and remediation for rule:
accounts_user_dot_group_ownership
---
.../ansible/shared.yml | 10 ++++
.../bash/shared.sh | 7 +++
.../oval/shared.xml | 52 +++++++++++++++++++
.../rule.yml | 9 ++++
.../tests/expected_groupowner.pass.sh | 6 +++
.../tests/home_dirs_all_absent.pass.sh | 6 +++
.../home_dirs_one_absent_group_ok.pass.sh | 10 ++++
.../tests/interactive_users_absent.pass.sh | 4 ++
.../tests/no_dot_file_ignored.pass.sh | 6 +++
.../unexpected_groupowner_system_gid.fail.sh | 6 +++
.../unexpected_groupowner_unknown_gid.fail.sh | 6 +++
.../tests/warning_swapped_groupowners.pass.sh | 15 ++++++
12 files changed, 137 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
new file mode 100644
index 00000000000..1a9fa192359
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
@@ -0,0 +1,10 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Ensure interactive local users are the group-owners of their respective initialization files
+ ansible.builtin.command:
+ cmd: |
+ awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chgrp -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
new file mode 100644
index 00000000000..2b0fe395e29
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chgrp -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
new file mode 100644
index 00000000000..7ee39a3e794
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
@@ -0,0 +1,52 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("User Initialization Files Must Be Group-Owned By The Primary User") }}}
+ <criteria>
+ <criterion test_ref="test_accounts_user_dot_group_ownership"
+ comment="User Initialization Files Must Be Group-Owned By The Primary User"/>
+ </criteria>
+ </definition>
+
+ <unix:password_object id="object_accounts_user_dot_group_ownership_objects" version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_accounts_user_dot_group_ownership_interactive_gids</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_accounts_user_dot_group_ownership_interactive_gids" version="1">
+ <unix:group_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:group_id>
+ </unix:password_state>
+
+ <local_variable id="var_accounts_user_dot_group_ownership_dirs" datatype="string" version="1"
+ comment="Variable including all home dirs from interactive users">
+ <object_component item_field="home_dir"
+ object_ref="object_accounts_user_dot_group_ownership_objects"/>
+ </local_variable>
+
+ <local_variable id="var_accounts_user_dot_group_ownership_gids" datatype="int" version="1"
+ comment="List of interactive users gids">
+ <object_component item_field="group_id"
+ object_ref="object_accounts_user_dot_group_ownership_objects"/>
+ </local_variable>
+
+ <!-- #### creation of object #### -->
+ <unix:file_object id="object_accounts_user_dot_group_ownership_init_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
+ recurse_file_system="local"/>
+ <unix:path var_ref="var_accounts_user_dot_group_ownership_dirs" var_check="at least one"/>
+ <unix:filename operation="pattern match">^\..*</unix:filename>
+ </unix:file_object>
+
+ <!-- #### creation of state #### -->
+ <unix:file_state id="state_accounts_user_dot_group_ownership_gids" version="1">
+ <unix:group_id datatype="int" var_check="only one"
+ var_ref="var_accounts_user_dot_group_ownership_gids"/>
+ </unix:file_state>
+
+ <!-- #### creation of test #### -->
+ <unix:file_test id="test_accounts_user_dot_group_ownership" check="all"
+ check_existence="any_exist" version="1"
+ comment="All user initialization files are group-owned by a local interactive user">
+ <unix:object object_ref="object_accounts_user_dot_group_ownership_init_files"/>
+ <unix:state state_ref="state_accounts_user_dot_group_ownership_gids"/>
+ </unix:file_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
index a9cf96afc8c..d7d75a6600f 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
@@ -10,6 +10,9 @@ description: |-
interactive user home directory, use the following command:
<pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i>/.<i>INIT_FILE</i></pre>
+ This rule ensures every initialization file related to an interactive user
+ is group-owned by an interactive user.
+
rationale: |-
Local initialization files for interactive users are used to configure the
user's shell environment upon logon. Malicious modification of these files could
@@ -35,3 +38,9 @@ ocil: |-
users in <tt>/etc/passwd</tt> and verify all initialization files under the
respective users home directory. Check the group owner of all local interactive users
initialization files.
+
+warnings:
+ - general: |-
+ Due to OVAL limitation, this rule can report a false negative in a
+ specific situation where two interactive users swap the group-ownership
+ of their respective initialization files.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
new file mode 100644
index 00000000000..0b89e741fbf
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+touch /home/$USER/.bashrc
+chgrp $USER /home/$USER/.bashrc
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
new file mode 100644
index 00000000000..af240252de3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
new file mode 100644
index 00000000000..90e1787dccc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -M $USER2
+
+touch /home/$USER1/.bashrc
+chgrp $USER1 /home/$USER1/.bashrc
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
new file mode 100644
index 00000000000..ed34f0940a7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
new file mode 100644
index 00000000000..5b9e17c5384
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+touch /home/$USER/nodotfile
+chgrp 2 /home/$USER/nodotfile
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
new file mode 100644
index 00000000000..b21e7229ed2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+touch /home/$USER/.bashrc
+chgrp 2 /home/$USER/.bashrc
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
new file mode 100644
index 00000000000..7c1bcac44d6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+touch /home/$USER/.bashrc
+chgrp 10005 /home/$USER/.bashrc
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
new file mode 100644
index 00000000000..d58a9dd63bf
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -m $USER2
+touch /home/$USER1/.bashrc
+touch /home/$USER2/.bashrc
+
+# Swap the ownership of files in two home directories
+# WARNING: This test scenario will report a false negative, as explained in the
+# warning section of this rule.
+chgrp -f $USER2 /home/$USER1/.bashrc
+chgrp -f $USER1 /home/$USER2/.bashrc
From 2e28bd10bfec8466362e74b7c5d95481e95d0ae9 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 5 Nov 2021 14:06:56 +0100
Subject: [PATCH 3/4] OVAL, tests and remediation for rule:
accounts_user_dot_no_world_writable_programs
---
.../ansible/shared.yml | 10 ++++
.../bash/shared.sh | 7 +++
.../oval/shared.xml | 52 +++++++++++++++++++
.../tests/expected_permissions.pass.sh | 6 +++
.../tests/home_dirs_absent.pass.sh | 6 +++
.../tests/interactive_users_absent.pass.sh | 4 ++
.../tests/lenient_permission.fail.sh | 6 +++
.../tests/more_restrictive_permission.pass.sh | 6 +++
.../tests/no_dot_file_ignored.pass.sh | 6 +++
9 files changed, 103 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
new file mode 100644
index 00000000000..210d12a53fe
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
@@ -0,0 +1,10 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Ensure interactive local users are the group-owners of their respective initialization files
+ ansible.builtin.command:
+ cmd: |
+ awk -F':' '{ if ($3 >= {{{ gid_min }}} && $3 != 65534) system("chmod -f g-w,o-w "$6"/.[^\.]?*") }' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
new file mode 100644
index 00000000000..24ff95c6cd7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) system("chmod -f g-w,o-w "$6"/.[^\.]?*") }' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
new file mode 100644
index 00000000000..ca8ecb2b447
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
@@ -0,0 +1,52 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("User Initialization Files Must Not Run World-Writable Programs") }}}
+ <criteria>
+ <criterion test_ref="test_accounts_user_dot_no_world_writable_programs"
+ comment="User Initialization Files Must Not Run World-Writable Programs"/>
+ </criteria>
+ </definition>
+
+ <unix:password_object id="object_accounts_user_dot_no_world_writable_programs_objects"
+ version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_accounts_user_dot_no_world_writable_programs_interactive_uids</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_accounts_user_dot_no_world_writable_programs_interactive_uids"
+ version="1">
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+ </unix:password_state>
+
+ <local_variable id="var_accounts_user_dot_no_world_writable_programs_dirs"
+ datatype="string" version="1"
+ comment="Variable including all home dirs from interactive users">
+ <object_component item_field="home_dir"
+ object_ref="object_accounts_user_dot_no_world_writable_programs_objects"/>
+ </local_variable>
+
+ <!-- #### creation of object #### -->
+ <unix:file_object id="object_accounts_user_dot_no_world_writable_programs_init_files"
+ version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
+ recurse_file_system="local"/>
+ <unix:path var_ref="var_accounts_user_dot_no_world_writable_programs_dirs"
+ var_check="at least one"/>
+ <unix:filename operation="pattern match">^\..*</unix:filename>
+ </unix:file_object>
+
+ <!-- #### creation of state #### -->
+ <unix:file_state id="state_accounts_user_dot_no_world_writable_programs" version="1"
+ operator='AND'>
+ <unix:gwrite datatype="boolean">false</unix:gwrite>
+ <unix:owrite datatype="boolean">false</unix:owrite>
+ </unix:file_state>
+
+ <!-- #### creation of test #### -->
+ <unix:file_test id="test_accounts_user_dot_no_world_writable_programs" check="all"
+ check_existence="any_exist" version="1"
+ comment="All home directories have proper permissions">
+ <unix:object object_ref="object_accounts_user_dot_no_world_writable_programs_init_files"/>
+ <unix:state state_ref="state_accounts_user_dot_no_world_writable_programs"/>
+ </unix:file_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
new file mode 100644
index 00000000000..7a2b35eba77
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chmod -f 755 /home/$USER/.*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
new file mode 100644
index 00000000000..af240252de3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
new file mode 100644
index 00000000000..ed34f0940a7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
new file mode 100644
index 00000000000..5fcf95f5f96
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+touch /home/$USER/.bashrc
+chmod -f o+w /home/$USER/.bashrc
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
new file mode 100644
index 00000000000..655c6d32e47
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chmod -f 700 /home/$USER/.*
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
new file mode 100644
index 00000000000..66439b768ca
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "$USER" > /home/$USER/$USER.txt
+chmod -f o+w /home/$USER/$USER.txt
From f7f5735115ad3fa98fac8644aa844ed54d4d5dd7 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 5 Nov 2021 14:07:55 +0100
Subject: [PATCH 4/4] OVAL, tests and remediation for rule:
accounts_umask_interactive_users
---
.../ansible/shared.yml | 12 ++++++
.../bash/shared.sh | 9 +++++
.../oval/shared.xml | 40 +++++++++++++++++++
.../tests/home_dirs_all_absent.pass.sh | 6 +++
.../tests/home_dirs_one_absent.pass.sh | 10 +++++
.../tests/interactive_users_absent.pass.sh | 4 ++
.../tests/no_dot_file_ignored.pass.sh | 5 +++
.../tests/umask_defined.fail.sh | 5 +++
8 files changed, 91 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
new file mode 100644
index 00000000000..142f10a2157
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Ensure interactive local users are the owners of their respective initialization files
+ ansible.builtin.shell:
+ cmd: |
+ for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
+ done
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
new file mode 100644
index 00000000000..0644b221df8
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
+done
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
new file mode 100644
index 00000000000..42dbdbbae46
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
@@ -0,0 +1,40 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Ensure the Default Umask is Set Correctly For Interactive Users") }}}
+ <criteria>
+ <criterion test_ref="test_accounts_umask_interactive_users"
+ comment="Ensure the Default Umask is Set Correctly For Interactive Users"/>
+ </criteria>
+ </definition>
+
+ <unix:password_object id="object_accounts_umask_interactive_users_objects" version="1">
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
+ <filter action="include">state_accounts_umask_interactive_users_interactive_uids</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_accounts_umask_interactive_users_interactive_uids" version="1">
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+ </unix:password_state>
+
+ <local_variable id="var_accounts_umask_interactive_users_dirs" datatype="string" version="1"
+ comment="Variable including all home dirs from interactive users">
+ <object_component item_field="home_dir"
+ object_ref="object_accounts_umask_interactive_users_objects"/>
+ </local_variable>
+
+ <!-- #### creation of object #### -->
+ <ind:textfilecontent54_object id="object_accounts_umask_interactive_users"
+ comment="Umask value from initialization files" version="1">
+ <ind:path var_ref="var_accounts_umask_interactive_users_dirs" var_check="at least one"/>
+ <ind:filename operation="pattern match">^\..*</ind:filename>
+ <ind:pattern operation="pattern match">^[\s]*umask\s*</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <!-- #### creation of test #### -->
+ <ind:textfilecontent54_test id="test_accounts_umask_interactive_users" check="all"
+ check_existence="none_exist" version="1"
+ comment="Umask must not be defined in user initialization files">
+ <ind:object object_ref="object_accounts_umask_interactive_users"/>
+ </ind:textfilecontent54_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
new file mode 100644
index 00000000000..af240252de3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
new file mode 100644
index 00000000000..0ad9248d14b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+USER1="cac_user1"
+USER2="cac_user2"
+
+useradd -m $USER1
+useradd -M $USER2
+
+# Make sure no umask definition exists in the startup files
+sed -i 's/^\([\s]*umask\s*\)/#\1/g' /home/$USER1/.[^\.]?*
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
new file mode 100644
index 00000000000..ed34f0940a7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
new file mode 100644
index 00000000000..27f580ae45a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "umask 022" > /home/$USER/nodotfile
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
new file mode 100644
index 00000000000..f7835392acf
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "umask 022" >> /home/$USER/.bashrc

View File

@ -0,0 +1,74 @@
From 1b7bd47bd8fa3f828aca0bf0add7fc188893ef11 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 21 Sep 2021 07:44:29 -0500
Subject: [PATCH 1/2] Add STIG references for FIPS
---
.../integrity/crypto/configure_bind_crypto_policy/rule.yml | 1 +
.../software/integrity/crypto/configure_crypto_policy/rule.yml | 1 +
.../integrity/crypto/configure_kerberos_crypto_policy/rule.yml | 1 +
.../integrity/crypto/configure_libreswan_crypto_policy/rule.yml | 1 +
.../software/integrity/fips/enable_dracut_fips_module/rule.yml | 1 +
5 files changed, 5 insertions(+)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
index 5484e11ad9f..e58c9506083 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
@@ -29,6 +29,7 @@ identifiers:
references:
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1
nist: SC-13,SC-12(2),SC-12(3)
+ stigid@rhel8: RHEL-08-010020
srg: SRG-OS-000423-GPOS-00187,SRG-OS-000426-GPOS-00190
ocil_clause: |-
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
index d4ea4db6c14..5eea87ac006 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -65,6 +65,7 @@ references:
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
+ stigid@rhel8: RHEL-08-010020
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
ocil_clause: 'cryptographic policy is not configured or is configured incorrectly'
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
index b219c9d2801..e1f5e55e8cd 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
@@ -28,6 +28,7 @@ references:
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1
nist: SC-13,SC-12(2),SC-12(3)
srg: SRG-OS-000120-GPOS-00061
+ stigid@rhel8: RHEL-08-010020
ocil_clause: 'the symlink does not exist or points to a different target'
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
index cd03ecf30d1..1fffb2ad2b7 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
@@ -33,6 +33,7 @@ references:
nist: CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
ospp: FCS_IPSEC_EXT.1.4,FCS_IPSEC_EXT.1.6
srg: SRG-OS-000033-GPOS-00014
+ stigid@rhel8: RHEL-08-010020
ocil_clause: |-
Libreswan is installed and <tt>/etc/ipsec.conf</tt> does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>
diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
index 9486031be54..fe20c1958a6 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
@@ -30,6 +30,7 @@ references:
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1
nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
srg: SRG-OS-000478-GPOS-00223
+ stigid@rhel8: RHEL-08-010020
vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
ocil_clause: 'the Dracut FIPS module is not enabled'

View File

@ -0,0 +1,47 @@
From 155a46f32b02fec3fa9a99d2a6fa2f1a5287fcaf Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 29 Sep 2021 09:43:56 -0500
Subject: [PATCH] Add RHEL8 FIPS STIG ID to few rules
---
.../integrity/crypto/configure_ssh_crypto_policy/rule.yml | 1 +
.../harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml | 1 +
.../crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml | 1 +
3 files changed, 3 insertions(+)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
index 9ac0b55f65a..2f4fb79eb54 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
@@ -29,6 +29,7 @@ references:
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
srg: SRG-OS-000250-GPOS-00093
+ stigid@rhel8: RHEL-08-010020
ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
index 682ca436b8d..adeae314fff 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
@@ -30,6 +30,7 @@ references:
disa: CCI-001453
nist: AC-17(2)
srg: SRG-OS-000250-GPOS-00093
+ stigid@rhel8: RHEL-08-010020
ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
index d21f68ac17a..12e527ca33d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
@@ -28,6 +28,7 @@ references:
disa: CCI-001453
nist: AC-17(2)
srg: SRG-OS-000250-GPOS-00093
+ stigid@rhel8: RHEL-08-010020
ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'

View File

@ -0,0 +1,91 @@
From c988807382a5c0e307567def55fcedcb2e3b75b7 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Mon, 4 Oct 2021 12:18:05 -0500
Subject: [PATCH 1/4] Update rsyslog_remote_loghost to match STIG and CIS
STIG and CIS only match *.conf files and we matched all files.
Moving to match the benchmarks.
Fixes #7333
---
.../rsyslog_remote_loghost/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
index 5895b7fab24..7b5d4968886 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
@@ -39,7 +39,7 @@
<ind:textfilecontent54_object id="object_remote_loghost_rsyslog_d" version="1">
<ind:path>/etc/rsyslog.d</ind:path>
- <ind:filename operation="pattern match">.*</ind:filename>
+ <ind:filename operation="pattern match">*.conf</ind:filename>
<ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
From 19d72d76e6818f47e71245dece0d6faa62cfcdb1 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Mon, 4 Oct 2021 13:11:10 -0500
Subject: [PATCH 3/4] Add packages so that test suite pass in a container
---
.../rsyslog_remote_loghost/tests/line_commented.fail.sh | 1 +
.../rsyslog_remote_loghost/tests/line_not_there.fail.sh | 1 +
.../rsyslog_remote_loghost/tests/remote_configured.pass.sh | 1 +
3 files changed, 3 insertions(+)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_commented.fail.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_commented.fail.sh
index 52376effea2..760606278b3 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_commented.fail.sh
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_commented.fail.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# packages = rsyslog
CONF_FILE="/etc/rsyslog.conf"
LOGHOST_LINE="*.* @@192.168.122.1:5000"
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_not_there.fail.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_not_there.fail.sh
index 8a55da88c8d..ac82180f21c 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_not_there.fail.sh
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_not_there.fail.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# packages = rsyslog
CONF_FILE="/etc/rsyslog.conf"
sed -i "/^\*\.\*.*/d" "$CONF_FILE"
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/remote_configured.pass.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/remote_configured.pass.sh
index 8122a490f25..3c396b4e52a 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/remote_configured.pass.sh
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/remote_configured.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# packages = rsyslog
CONF_FILE="/etc/rsyslog.conf"
LOGHOST_LINE="*.* @@192.168.122.1:5000"
From e7110e97c808b82a8d6d91c9da42f6c5422747cf Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Mon, 11 Oct 2021 11:33:13 -0500
Subject: [PATCH 4/4] Fix regex on rsyslog_remote_loghost
---
.../rsyslog_remote_loghost/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
index 7b5d4968886..0fdd24e18c2 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
@@ -39,7 +39,7 @@
<ind:textfilecontent54_object id="object_remote_loghost_rsyslog_d" version="1">
<ind:path>/etc/rsyslog.d</ind:path>
- <ind:filename operation="pattern match">*.conf</ind:filename>
+ <ind:filename operation="pattern match">^.+\.conf$</ind:filename>
<ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>

View File

@ -0,0 +1,51 @@
From f74121fc8b4074854e7cd96cc276711e80b54131 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 18 Nov 2021 10:23:10 +0100
Subject: [PATCH] Fix remediation for accounts_umask_interactive_users
Included logic to ensure sed command considers only hidden files,
ignoring possible hidden folders.
---
.../accounts_umask_interactive_users/ansible/shared.yml | 4 +++-
.../accounts_umask_interactive_users/bash/shared.sh | 4 +++-
.../tests/hidden_folder_ignored.pass.sh | 5 +++++
3 files changed, 11 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/hidden_folder_ignored.pass.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
index 142f10a2157..67064ac4a3b 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
@@ -8,5 +8,7 @@
ansible.builtin.shell:
cmd: |
for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
- sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
+ for file in $(find $dir -maxdepth 1 -type f -name ".*"); do
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
+ done
done
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
index 0644b221df8..f81fdfe41fd 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
@@ -5,5 +5,7 @@
# disruption = low
for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
- sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
+ for file in $(find $dir -maxdepth 1 -type f -name ".*"); do
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
+ done
done
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/hidden_folder_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/hidden_folder_ignored.pass.sh
new file mode 100644
index 00000000000..b9e1b7519ef
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/hidden_folder_ignored.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+mkdir /home/$USER/.hiddenfolder

View File

@ -0,0 +1,759 @@
commit 26f72c842ec184ed517fbf0d3224c421ad7cc9c6
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Thu Feb 24 18:33:50 2022 +0100
Manual edited patch scap-security-guide-0.1.59-multifile_templates-PR_7405.patch.
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
deleted file mode 100644
index f6f2ab4..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
-# reboot = false
-# strategy = restrict
-# complexity = medium
-# disruption = medium
-- name: "Read list libraries without root ownership"
- find:
- paths:
- - "/usr/lib"
- - "/usr/lib64"
- - "/lib"
- - "/lib64"
- file_type: "directory"
- register: library_dirs_not_group_owned_by_root
-
-- name: "Set group ownership of system library dirs to root"
- file:
- path: "{{ item.path }}"
- group: "root"
- state: "directory"
- mode: "{{ item.mode }}"
- with_items: "{{ library_dirs_not_group_owned_by_root.files }}"
- when:
- - library_dirs_not_group_owned_by_root.matched > 0
- - item.gid != 0
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
deleted file mode 100644
index 365b983..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
-
-find /lib \
-/lib64 \
-/usr/lib \
-/usr/lib64 \
-\! -group root -type d -exec chgrp root '{}' \;
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/oval/shared.xml
deleted file mode 100644
index 3af60ff..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/oval/shared.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<def-group>
- <definition class="compliance" id="dir_group_ownership_library_dirs" version="1">
- {{{ oval_metadata("
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
- directories therein, are group-owned by root.
- ") }}}
- <criteria operator="AND">
- <criterion test_ref="test_dir_group_ownership_lib_dir" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="library directories gid root" id="test_dir_group_ownership_lib_dir" version="1">
- <unix:object object_ref="object_dir_group_ownership_lib_dir" />
- </unix:file_test>
-
- <unix:file_object comment="library directories" id="object_dir_group_ownership_lib_dir" version="1">
- <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to group with gid 0 (root) -->
- <unix:path operation="pattern match">(^\/lib(|64)\/|^\/usr\/lib(|64)\/)</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_group_owner_library_dirs_not_root</filter>
- </unix:file_object>
-
- <unix:file_state id="state_group_owner_library_dirs_not_root" version="1">
- <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
- </unix:file_state>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
index 8c0acc0..10203c9 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15,rhel8,fedora
+prodtype: fedora,rhel8,sle12,sle15,ubuntu2004
title: 'Verify that Shared Library Directories Have Root Group Ownership'
@@ -40,6 +40,7 @@ references:
stigid@rhel8: RHEL-08-010350
stigid@sle12: SLES-12-010876
stigid@sle15: SLES-15-010356
+ stigid@ubuntu2004: UBTU-20-010431
ocil_clause: 'any of these directories are not group-owned by root'
@@ -52,3 +53,14 @@ ocil: |-
For each of these directories, run the following command to find files not
owned by root:
<pre>$ sudo find -L <i>$DIR</i> ! -user root -type d -exec chgrp root {} \;</pre>
+
+template:
+ name: file_groupowner
+ vars:
+ filepath:
+ - /lib/
+ - /lib64/
+ - /usr/lib/
+ - /usr/lib64/
+ recursive: 'true'
+ filegid: '0'
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
index ac96858..4c76824 100644
--- a/products/ubuntu2004/profiles/stig.profile
+++ b/products/ubuntu2004/profiles/stig.profile
@@ -470,6 +470,7 @@ selections:
# UBTU-20-010430 The Ubuntu operating system library files must be group-owned by root.
# UBTU-20-010431 The Ubuntu operating system library directories must be group-owned by root.
+ - dir_group_ownership_library_dirs
# UBTU-20-010432 The Ubuntu operating system must be configured to preserve log records from failure events.
- service_rsyslog_enabled
diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template
index 073d356..68fc2e1 100644
--- a/shared/templates/file_groupowner/ansible.template
+++ b/shared/templates/file_groupowner/ansible.template
@@ -4,33 +4,44 @@
# complexity = low
# disruption = low
+{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
-- name: Find {{{ FILEPATH }}} file(s) matching {{{ FILE_REGEX }}}
+- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
find:
- paths: "{{{ FILEPATH }}}"
- patterns: "{{{ FILE_REGEX }}}"
+ paths: "{{{ path }}}"
+ patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
register: files_found
-- name: Ensure group owner on {{{ FILEPATH }}} file(s) matching {{{ FILE_REGEX }}}
+- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
file:
path: "{{ item.path }}"
group: "{{{ FILEGID }}}"
with_items:
- "{{ files_found.files }}"
+{{% elif IS_DIRECTORY and RECURSIVE %}}
+
+- name: Ensure group owner on {{{ path }}} recursively
+ file:
+ path: "{{{ path }}}"
+ state: directory
+ recurse: yes
+ group: "{{{ FILEGID }}}"
+
{{% else %}}
-- name: Test for existence {{{ FILEPATH }}}
+- name: Test for existence {{{ path }}}
stat:
- path: "{{{ FILEPATH }}}"
+ path: "{{{ path }}}"
register: file_exists
-- name: Ensure group owner {{{ FILEGID }}} on {{{ FILEPATH }}}
+- name: Ensure group owner {{{ FILEGID }}} on {{{ path }}}
file:
- path: "{{{ FILEPATH }}}"
+ path: "{{{ path }}}"
group: "{{{ FILEGID }}}"
when: file_exists.stat is defined and file_exists.stat.exists
{{% endif %}}
+{{% endfor %}}
diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template
index 442e015..982d2f3 100644
--- a/shared/templates/file_groupowner/bash.template
+++ b/shared/templates/file_groupowner/bash.template
@@ -4,13 +4,17 @@
# complexity = low
# disruption = low
+{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
-readarray -t files < <(find {{{ FILEPATH }}})
+readarray -t files < <(find {{{ path }}})
for file in "${files[@]}"; do
- if basename $file | grep -q '{{{ FILE_REGEX }}}'; then
+ if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
chgrp {{{ FILEGID }}} $file
fi
done
+{{% elif IS_DIRECTORY and RECURSIVE %}}
+find -L {{{ path }}} -type d -exec chgrp {{{ FILEGID }}} {} \;
{{% else %}}
-chgrp {{{ FILEGID }}} {{{ FILEPATH }}}
+chgrp {{{ FILEGID }}} {{{ path }}}
{{% endif %}}
+{{% endfor %}}
diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template
index 1b637a6..fd2e5db 100644
--- a/shared/templates/file_groupowner/oval.template
+++ b/shared/templates/file_groupowner/oval.template
@@ -1,8 +1,16 @@
<def-group>
<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
+ {{% if FILEPATH is not string %}}
+ {{{ oval_metadata("This test makes sure that FILEPATH is group owned by " + FILEGID + ".") }}}
+ <criteria>
+ {{% for filepath in FILEPATH %}}
+ <criterion comment="Check file group ownership of {{{ filepath }}}" test_ref="test_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" />
+ {{% endfor %}}
+ {{% else %}}
{{{ oval_metadata("This test makes sure that " + FILEPATH + " is group owned by " + FILEGID + ".") }}}
<criteria>
<criterion comment="Check file group ownership of {{{ FILEPATH }}}" test_ref="test_file_groupowner{{{ FILEID }}}" />
+ {{% endif %}}
</criteria>
</definition>
{{%- if MISSING_FILE_PASS -%}}
@@ -12,23 +20,31 @@
{{# All defined files must exist. When using regex, at least one file must match #}}
{{% set FILE_EXISTENCE = "all_exist" %}}
{{%- endif -%}}
- <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing group ownership of {{{ FILEPATH }}}" id="test_file_groupowner{{{ FILEID }}}" version="1">
- <unix:object object_ref="object_file_groupowner{{{ FILEID }}}" />
- <unix:state state_ref="state_file_groupowner{{{ FILEID }}}_gid_{{{ FILEGID }}}" />
+
+
+ {{% for filepath in FILEPATH %}}
+ <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing group ownership of {{{ filepath }}}" id="test_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
+ <unix:object object_ref="object_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" />
+ <unix:state state_ref="state_file_groupowner{{{ FILEID }}}_gid_{{{ FILEGID }}}_{{{ loop.index0 }}}" />
</unix:file_test>
- <unix:file_state id="state_file_groupowner{{{ FILEID }}}_gid_{{{ FILEGID }}}" version="1">
+ <unix:file_state id="state_file_groupowner{{{ FILEID }}}_gid_{{{ FILEGID }}}_{{{ loop.index0 }}}" version="1">
<unix:group_id datatype="int">{{{ FILEGID }}}</unix:group_id>
</unix:file_state>
- <unix:file_object comment="{{{ FILEPATH }}}" id="object_file_groupowner{{{ FILEID }}}" version="1">
+ <unix:file_object comment="{{{ filepath }}}" id="object_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
{{%- if IS_DIRECTORY -%}}
- <unix:path>{{{ FILEPATH }}}</unix:path>
- {{%- if FILE_REGEX -%}}
- <unix:filename operation="pattern match">{{{ FILE_REGEX }}}</unix:filename>
- {{%- else -%}}
- <unix:filename xsi:nil="true" />
- {{%- endif -%}}
- {{%- else -%}}
- <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ FILEPATH }}}</unix:filepath>
- {{%- endif -%}}
+ {{%- if FILE_REGEX %}}
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
+ <unix:filename operation="pattern match">{{{ FILE_REGEX[loop.index0] }}}</unix:filename>
+ {{%- elif RECURSIVE %}}
+ <unix:path operation="pattern match">{{{ filepath[:-1] }}}</unix:path>
+ <unix:filename xsi:nil="true" />
+ {{%- else %}}
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
+ <unix:filename xsi:nil="true" />
+ {{%- endif %}}
+ {{%- else %}}
+ <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
+ {{%- endif %}}
</unix:file_object>
+ {{% endfor %}}
</def-group>
diff --git a/shared/templates/file_groupowner/template.py b/shared/templates/file_groupowner/template.py
index 2263ae8..10baed9 100644
--- a/shared/templates/file_groupowner/template.py
+++ b/shared/templates/file_groupowner/template.py
@@ -1,12 +1,25 @@
-from ssg.utils import parse_template_boolean_value
+from ssg.utils import parse_template_boolean_value, check_conflict_regex_directory
def _file_owner_groupowner_permissions_regex(data):
- data["is_directory"] = data["filepath"].endswith("/")
- if "file_regex" in data and not data["is_directory"]:
- raise ValueError(
- "Used 'file_regex' key in rule '{0}' but filepath '{1}' does not "
- "specify a directory. Append '/' to the filepath or remove the "
- "'file_regex' key.".format(data["_rule_id"], data["filepath"]))
+ # this avoids code duplicates
+ if isinstance(data["filepath"], str):
+ data["filepath"] = [data["filepath"]]
+
+ if "file_regex" in data:
+ # we can have a list of filepaths, but only one regex
+ # instead of declaring the same regex multiple times
+ if isinstance(data["file_regex"], str):
+ data["file_regex"] = [data["file_regex"]] * len(data["filepath"])
+
+ # if the length of filepaths and file_regex are not the same, then error.
+ # in case we have multiple regexes for just one filepath, than we need
+ # to declare that filepath multiple times
+ if len(data["filepath"]) != len(data["file_regex"]):
+ raise ValueError(
+ "You should have one file_path per file_regex. Please check "
+ "rule '{0}'".format(data["_rule_id"]))
+
+ check_conflict_regex_directory(data)
def preprocess(data, lang):
@@ -14,6 +27,10 @@ def preprocess(data, lang):
data["missing_file_pass"] = parse_template_boolean_value(data, parameter="missing_file_pass", default_value=False)
+ data["recursive"] = parse_template_boolean_value(data,
+ parameter="recursive",
+ default_value=False)
+
if lang == "oval":
data["fileid"] = data["_rule_id"].replace("file_groupowner", "")
return data
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
index 6083fbe..80eaae8 100644
--- a/shared/templates/file_owner/ansible.template
+++ b/shared/templates/file_owner/ansible.template
@@ -4,33 +4,44 @@
# complexity = low
# disruption = low
+{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
-- name: Find {{{ FILEPATH }}} file(s) matching {{{ FILE_REGEX }}}
+- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
find:
- paths: "{{{ FILEPATH }}}"
- patterns: "{{{ FILE_REGEX }}}"
+ paths: "{{{ path }}}"
+ patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
register: files_found
-- name: Ensure group owner on {{{ FILEPATH }}} file(s) matching {{{ FILE_REGEX }}}
+- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
file:
path: "{{ item.path }}"
owner: "{{{ FILEUID }}}"
with_items:
- "{{ files_found.files }}"
+{{% elif IS_DIRECTORY and RECURSIVE %}}
+
+- name: Ensure owner on {{{ path }}} recursively
+ file:
+ paths "{{{ path }}}"
+ state: directory
+ recurse: yes
+ owner: "{{{ FILEUID }}}"
+
{{% else %}}
-- name: Test for existence {{{ FILEPATH }}}
+- name: Test for existence {{{ path }}}
stat:
- path: "{{{ FILEPATH }}}"
+ path: "{{{ path }}}"
register: file_exists
-- name: Ensure owner {{{ FILEUID }}} on {{{ FILEPATH }}}
+- name: Ensure owner {{{ FILEUID }}} on {{{ path }}}
file:
- path: "{{{ FILEPATH }}}"
+ path: "{{{ path }}}"
owner: "{{{ FILEUID }}}"
when: file_exists.stat is defined and file_exists.stat.exists
{{% endif %}}
+{{% endfor %}}
diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template
index 16025b7..27b5a2a 100644
--- a/shared/templates/file_owner/bash.template
+++ b/shared/templates/file_owner/bash.template
@@ -4,13 +4,17 @@
# complexity = low
# disruption = low
+{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
-readarray -t files < <(find {{{ FILEPATH }}})
+readarray -t files < <(find {{{ path }}})
for file in "${files[@]}"; do
- if basename $file | grep -q '{{{ FILE_REGEX }}}'; then
+ if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
chown {{{ FILEUID }}} $file
fi
done
+{{% elif IS_DIRECTORY and RECURSIVE %}}
+find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \;
{{% else %}}
-chown {{{ FILEUID }}} {{{ FILEPATH }}}
+chown {{{ FILEUID }}} {{{ path }}}
{{% endif %}}
+{{% endfor %}}
diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template
index 23ac161..105e29c 100644
--- a/shared/templates/file_owner/oval.template
+++ b/shared/templates/file_owner/oval.template
@@ -1,8 +1,16 @@
<def-group>
<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
+ {{% if FILEPATH is not string %}}
+ {{{ oval_metadata("This test makes sure that FILEPATH is owned by " + FILEUID + ".") }}}
+ <criteria>
+ {{% for filepath in FILEPATH %}}
+ <criterion comment="Check file ownership of {{{ filepath }}}" test_ref="test_file_owner{{{ FILEID }}}_{{{ loop.index0 }}}" />
+ {{% endfor %}}
+ {{% else %}}
{{{ oval_metadata("This test makes sure that " + FILEPATH + " is owned by " + FILEUID + ".") }}}
<criteria>
<criterion comment="Check file ownership of {{{ FILEPATH }}}" test_ref="test_file_owner{{{ FILEID }}}" />
+ {{% endif %}}
</criteria>
</definition>
{{%- if MISSING_FILE_PASS -%}}
@@ -12,23 +20,30 @@
{{# All defined files must exist. When using regex, at least one file must match #}}
{{% set FILE_EXISTENCE = "all_exist" %}}
{{%- endif -%}}
- <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing user ownership of {{{ FILEPATH }}}" id="test_file_owner{{{ FILEID }}}" version="1">
- <unix:object object_ref="object_file_owner{{{ FILEID }}}" />
- <unix:state state_ref="state_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}" />
+
+ {{% for filepath in FILEPATH %}}
+ <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing user ownership of {{{ filepath }}}" id="test_file_owner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
+ <unix:object object_ref="object_file_owner{{{ FILEID }}}_{{{ loop.index0 }}}" />
+ <unix:state state_ref="state_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}_{{{ loop.index0 }}}" />
</unix:file_test>
- <unix:file_state id="state_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}" version="1">
+ <unix:file_state id="state_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}_{{{ loop.index0 }}}" version="1">
<unix:user_id datatype="int">{{{ FILEUID }}}</unix:user_id>
</unix:file_state>
- <unix:file_object comment="{{{ FILEPATH }}}" id="object_file_owner{{{ FILEID }}}" version="1">
+ <unix:file_object comment="{{{ filepath }}}" id="object_file_owner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
{{%- if IS_DIRECTORY -%}}
- <unix:path>{{{ FILEPATH }}}</unix:path>
- {{%- if FILE_REGEX -%}}
- <unix:filename operation="pattern match">{{{ FILE_REGEX }}}</unix:filename>
- {{%- else -%}}
- <unix:filename xsi:nil="true" />
- {{%- endif -%}}
- {{%- else -%}}
- <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ FILEPATH }}}</unix:filepath>
- {{%- endif -%}}
+ {{%- if FILE_REGEX %}}
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
+ <unix:filename operation="pattern match">{{{ FILE_REGEX[loop.index0] }}}</unix:filename>
+ {{%- elif RECURSIVE %}}
+ <unix:path operation="pattern match">{{{ filepath[:-1] }}}</unix:path>
+ <unix:filename xsi:nil="true" />
+ {{%- else %}}
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
+ <unix:filename xsi:nil="true" />
+ {{%- endif %}}
+ {{%- else %}}
+ <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
+ {{%- endif %}}
</unix:file_object>
+ {{% endfor %}}
</def-group>
diff --git a/shared/templates/file_owner/template.py b/shared/templates/file_owner/template.py
index 0dd0008..1391dcf 100644
--- a/shared/templates/file_owner/template.py
+++ b/shared/templates/file_owner/template.py
@@ -1,12 +1,25 @@
-from ssg.utils import parse_template_boolean_value
+from ssg.utils import parse_template_boolean_value, check_conflict_regex_directory
def _file_owner_groupowner_permissions_regex(data):
- data["is_directory"] = data["filepath"].endswith("/")
- if "file_regex" in data and not data["is_directory"]:
- raise ValueError(
- "Used 'file_regex' key in rule '{0}' but filepath '{1}' does not "
- "specify a directory. Append '/' to the filepath or remove the "
- "'file_regex' key.".format(data["_rule_id"], data["filepath"]))
+ # this avoids code duplicates
+ if isinstance(data["filepath"], str):
+ data["filepath"] = [data["filepath"]]
+
+ if "file_regex" in data:
+ # we can have a list of filepaths, but only one regex
+ # instead of declaring the same regex multiple times
+ if isinstance(data["file_regex"], str):
+ data["file_regex"] = [data["file_regex"]] * len(data["filepath"])
+
+ # if the length of filepaths and file_regex are not the same, then error.
+ # in case we have multiple regexes for just one filepath, than we need
+ # to declare that filepath multiple times
+ if len(data["filepath"]) != len(data["file_regex"]):
+ raise ValueError(
+ "You should have one file_path per file_regex. Please check "
+ "rule '{0}'".format(data["_rule_id"]))
+
+ check_conflict_regex_directory(data)
def preprocess(data, lang):
@@ -14,6 +27,10 @@ def preprocess(data, lang):
data["missing_file_pass"] = parse_template_boolean_value(data, parameter="missing_file_pass", default_value=False)
+ data["recursive"] = parse_template_boolean_value(data,
+ parameter="recursive",
+ default_value=False)
+
if lang == "oval":
data["fileid"] = data["_rule_id"].replace("file_owner", "")
return data
diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template
index 029d03f..fc211bd 100644
--- a/shared/templates/file_permissions/ansible.template
+++ b/shared/templates/file_permissions/ansible.template
@@ -3,33 +3,45 @@
# strategy = configure
# complexity = low
# disruption = low
+
+{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
-- name: Find {{{ FILEPATH }}} file(s)
+- name: Find {{{ path }}} file(s)
find:
- paths: "{{{ FILEPATH }}}"
- patterns: "{{{ FILE_REGEX }}}"
+ paths: "{{{ path }}}"
+ patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
register: files_found
-- name: Set permissions for {{{ FILEPATH }}} file(s)
+- name: Set permissions for {{{ path }}} file(s)
file:
path: "{{ item.path }}"
mode: "{{{ FILEMODE }}}"
with_items:
- "{{ files_found.files }}"
+{{% elif IS_DIRECTORY and RECURSIVE %}}
+
+- name: Set permissions for {{{ path }}} recursively
+ file:
+ path: "{{{ path }}}"
+ state: directory
+ recurse: yes
+ mode: "{{{ FILEMODE }}}"
+
{{% else %}}
-- name: Test for existence {{{ FILEPATH }}}
+- name: Test for existence {{{ path }}}
stat:
- path: "{{{ FILEPATH }}}"
+ path: "{{{ path }}}"
register: file_exists
-- name: Ensure permission {{{ FILEMODE }}} on {{{ FILEPATH }}}
+- name: Ensure permission {{{ FILEMODE }}} on {{{ path }}}
file:
- path: "{{{ FILEPATH }}}"
+ path: "{{{ path }}}"
mode: "{{{ FILEMODE }}}"
when: file_exists.stat is defined and file_exists.stat.exists
{{% endif %}}
+{{% endfor %}}
diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template
index af9cf4e..e0d8fe9 100644
--- a/shared/templates/file_permissions/bash.template
+++ b/shared/templates/file_permissions/bash.template
@@ -4,13 +4,17 @@
# complexity = low
# disruption = low
+{{% for path in FILEPATH %}}
{{% if IS_DIRECTORY and FILE_REGEX %}}
-readarray -t files < <(find {{{ FILEPATH }}})
+readarray -t files < <(find {{{ path }}})
for file in "${files[@]}"; do
- if basename $file | grep -q '{{{ FILE_REGEX }}}'; then
+ if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
chmod {{{ FILEMODE }}} $file
fi
done
+{{% elif IS_DIRECTORY and RECURSIVE %}}
+find -L {{{ path }}} -type d -exec chmod {{{ FILEMODE }}} {} \;
{{% else %}}
-chmod {{{ FILEMODE }}} {{{ FILEPATH }}}
+chmod {{{ FILEMODE }}} {{{ path }}}
{{% endif %}}
+{{% endfor %}}
diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template
index f570ff8..89083e8 100644
--- a/shared/templates/file_permissions/oval.template
+++ b/shared/templates/file_permissions/oval.template
@@ -16,31 +16,47 @@
{{%- endif -%}}
<def-group>
<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
- {{{ oval_metadata("This test makes sure that " + FILEPATH + " has mode " + FILEMODE + ".
+ {{% if FILEPATH is not string %}}
+ {{{ oval_metadata("This test makes sure that FILEPATH has mode " + FILEMODE + ".
+ If the target file or directory has an extended ACL, then it will fail the mode check.
+ ") }}}
+ <criteria>
+ {{% for filepath in FILEPATH %}}
+ <criterion comment="Check file mode of {{{ filepath }}}" test_ref="test_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}"{{{ ' negate="true"' if ALLOW_STRICTER_PERMISSIONS }}}/>
+ {{% endfor %}}
+ {{% else %}}
+ {{{ oval_metadata("This test makes sure that " + FILEPATH + " has mode " + FILEMODE + ".
If the target file or directory has an extended ACL, then it will fail the mode check.
") }}}
<criteria>
<criterion comment="Check file mode of {{{ FILEPATH }}}" test_ref="test_file_permissions{{{ FILEID }}}"{{{ ' negate="true"' if ALLOW_STRICTER_PERMISSIONS }}}/>
+ {{% endif %}}
</criteria>
</definition>
- <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing mode of {{{ FILEPATH }}}" id="test_file_permissions{{{ FILEID }}}" version="2">
- <unix:object object_ref="object_file_permissions{{{ FILEID }}}" />
- <unix:state state_ref="state_file_permissions{{{ FILEID }}}_mode_{{{ 'not_' if ALLOW_STRICTER_PERMISSIONS }}}{{{ FILEMODE }}}" />
- </unix:file_test>
- <unix:file_state id="state_file_permissions{{{ FILEID }}}_mode_{{{ 'not_' if ALLOW_STRICTER_PERMISSIONS }}}{{{ FILEMODE }}}"{{{ ' operator="OR"' if ALLOW_STRICTER_PERMISSIONS }}} version="2">
+
+ {{% for filepath in FILEPATH %}}
+ <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing mode of {{{ filepath }}}" id="test_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}" version="2">
+ <unix:object object_ref="object_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}" />
+ <unix:state state_ref="state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_{{{ 'not_' if ALLOW_STRICTER_PERMISSIONS }}}{{{ FILEMODE }}}" />
+ </unix:file_test>
+ <unix:file_state id="state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_{{{ 'not_' if ALLOW_STRICTER_PERMISSIONS }}}{{{ FILEMODE }}}"{{{ ' operator="OR"' if ALLOW_STRICTER_PERMISSIONS }}} version="2">
{{{ STATEMODE | indent(6) }}}
- </unix:file_state>
- <unix:file_object comment="{{{ FILEPATH }}}" id="object_file_permissions{{{ FILEID }}}" version="1">
+ </unix:file_state>
+ <unix:file_object comment="{{{ filepath }}}" id="object_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
{{%- if IS_DIRECTORY %}}
- <unix:path>{{{ FILEPATH }}}</unix:path>
{{%- if FILE_REGEX %}}
- <unix:filename operation="pattern match">{{{ FILE_REGEX }}}</unix:filename>
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
+ <unix:filename operation="pattern match">{{{ FILE_REGEX[loop.index0] }}}</unix:filename>
+ {{%- elif RECURSIVE %}}
+ <unix:path operation="pattern match">{{{ filepath[:-1] }}}</unix:path>
+ <unix:filename xsi:nil="true" />
{{%- else %}}
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
<unix:filename xsi:nil="true" />
{{%- endif %}}
{{%- else %}}
- <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ FILEPATH }}}</unix:filepath>
+ <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
{{%- endif %}}
{{%- if ALLOW_STRICTER_PERMISSIONS %}}
@@ -49,8 +65,8 @@
https://github.com/OpenSCAP/openscap/pull/1709 but this line should be kept until the
fix is widely available. The fix is expected to be part of OpenSCAP >= 1.3.5.
#}}
- <filter action="include">state_file_permissions{{{ FILEID }}}_mode_not_{{{ FILEMODE }}}</filter>
+ <filter action="include">state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_not_{{{ FILEMODE }}}</filter>
{{%- endif %}}
-
- </unix:file_object>
+ </unix:file_object>
+ {{% endfor %}}
</def-group>
diff --git a/shared/templates/file_permissions/template.py b/shared/templates/file_permissions/template.py
index 677e083..6e20a62 100644
--- a/shared/templates/file_permissions/template.py
+++ b/shared/templates/file_permissions/template.py
@@ -1,12 +1,25 @@
-from ssg.utils import parse_template_boolean_value
+from ssg.utils import parse_template_boolean_value, check_conflict_regex_directory
def _file_owner_groupowner_permissions_regex(data):
- data["is_directory"] = data["filepath"].endswith("/")
- if "file_regex" in data and not data["is_directory"]:
- raise ValueError(
- "Used 'file_regex' key in rule '{0}' but filepath '{1}' does not "
- "specify a directory. Append '/' to the filepath or remove the "
- "'file_regex' key.".format(data["_rule_id"], data["filepath"]))
+ # this avoids code duplicates
+ if isinstance(data["filepath"], str):
+ data["filepath"] = [data["filepath"]]
+
+ if "file_regex" in data:
+ # we can have a list of filepaths, but only one regex
+ # instead of declaring the same regex multiple times
+ if isinstance(data["file_regex"], str):
+ data["file_regex"] = [data["file_regex"]] * len(data["filepath"])
+
+ # if the length of filepaths and file_regex are not the same, then error.
+ # in case we have multiple regexes for just one filepath, than we need
+ # to declare that filepath multiple times
+ if len(data["filepath"]) != len(data["file_regex"]):
+ raise ValueError(
+ "You should have one file_path per file_regex. Please check "
+ "rule '{0}'".format(data["_rule_id"]))
+
+ check_conflict_regex_directory(data)
def preprocess(data, lang):
@@ -16,6 +29,10 @@ def preprocess(data, lang):
data["missing_file_pass"] = parse_template_boolean_value(data, parameter="missing_file_pass", default_value=False)
+ data["recursive"] = parse_template_boolean_value(data,
+ parameter="recursive",
+ default_value=False)
+
if lang == "oval":
data["fileid"] = data["_rule_id"].replace("file_permissions", "")
# build the state that describes our mode
diff --git a/ssg/utils.py b/ssg/utils.py
index b0ded09..2248b1e 100644
--- a/ssg/utils.py
+++ b/ssg/utils.py
@@ -303,3 +303,25 @@ def parse_template_boolean_value(data, parameter, default_value):
raise ValueError(
"Template parameter {} used in rule {} cannot accept the "
"value {}".format(parameter, data["_rule_id"], value))
+
+
+def check_conflict_regex_directory(data):
+ """
+ Validate that either all path are directories OR file_regex exists.
+
+ Throws ValueError.
+ """
+ for f in data["filepath"]:
+ if "is_directory" in data and data["is_directory"] != f.endswith("/"):
+ raise ValueError(
+ "If passing a list of filepaths, all of them need to be "
+ "either directories or files. Mixing is not possible. "
+ "Please fix rules '{0}' filepath '{1}'".format(data["_rule_id"], f))
+
+ data["is_directory"] = f.endswith("/")
+
+ if "file_regex" in data and not data["is_directory"]:
+ raise ValueError(
+ "Used 'file_regex' key in rule '{0}' but filepath '{1}' does not "
+ "specify a directory. Append '/' to the filepath or remove the "
+ "'file_regex' key.".format(data["_rule_id"], f))

View File

@ -0,0 +1,245 @@
From b8fd95776ce894006163b2bb5e34682e5844ca1e Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 21 Oct 2021 14:43:51 -0500
Subject: [PATCH 1/5] Always esacpe parameter in ansible_set_config_file
---
.../ansible/shared.yml | 5 +++--
.../ansible/shared.yml | 5 +++--
.../ansible/shared.yml | 5 +++--
shared/macros-ansible.jinja | 17 ++++++++++-------
4 files changed, 19 insertions(+), 13 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
index 637f90003b2..ca5a405f877 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
@@ -5,5 +5,6 @@
# disruption = low
{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
- "$ActionSendStreamDriverAuthMode", separator=' ', separator_regex='\s',
- value="x509/name", create='yes') }}}
+ "$ActionSendStreamDriverAuthMode", separator=' ', separator_regex='\s',
+ value="x509/name", create='yes')
+}}}
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
index 5d11103fc0f..1f001f47e07 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
@@ -4,6 +4,7 @@
# complexity = low
# disruption = low
-{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
- parameter="$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ")
+{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
+ parameter="$ActionSendStreamDriverMode", value="1", create=true, separator=" ",
+ separator_regex=" ")
}}}
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
index 035ab152876..4016a08721e 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
@@ -4,6 +4,7 @@
# complexity = low
# disruption = low
-{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
- parameter="$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ")
+{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
+ parameter="$DefaultNetstreamDriver", value="gtls", create=true, separator=" "
+ , separator_regex=" ")
}}}
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 563350743fe..0f8dba56dab 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -25,14 +25,17 @@ value: "Setting={{ varname1 }}"
Note that all string-like parameters are single quoted in the YAML.
#}}
-{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False) -%}}
+{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False, escape_regex=False) -%}}
- name: "{{{ msg or rule_title }}}"
lineinfile:
path: '{{{ path }}}'
create: {{{ create }}}
- {{%- if regex %}}
+ {{%- if regex and not escape_regex %}}
regexp: '{{{ regex }}}'
{{%- endif %}}
+ {{%- if regex and escape_regex %}}
+ regexp: '{{ {{{ regex }}} | regex_escape }}'
+ {{%- endif %}}
{{%- if state == 'present' %}}
line: '{{{ new_line }}}'
state: present
@@ -121,7 +124,7 @@ value: "Setting={{ varname1 }}"
ini configuration files are best served with the ini Ansible module
instead of lineinfile-based solutions.
#}}
-{{%- macro ansible_set_config_file(msg, file, parameter, separator=' ', separator_regex='\s+', value='', prefix_regex='^\s*', create='no', validate='', insert_after='', insert_before='') %}}
+{{%- macro ansible_set_config_file(msg, file, parameter, separator=' ', separator_regex='\s+', value='', prefix_regex='^\s*', create='no', validate='', insert_after='', insert_before='', escape_regex=False) %}}
{{{ ansible_only_lineinfile(msg, file, prefix_regex + parameter + separator_regex, parameter + separator + value, create=create, block=True, validate=validate, insert_after=insert_after, insert_before=insert_before) }}}
{{%- endmacro %}}
@@ -143,12 +146,12 @@ value: "Setting={{ varname1 }}"
{{%- set new_line = parameter + separator + value -%}}
- name: '{{{ msg or rule_title }}}'
block:
- {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True)|indent }}}
- {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1')|indent }}}
+ {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True, escape_regex=True)|indent }}}
+ {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1', escape_regex=True)|indent }}}
{{{ ansible_stat("Check if " + config_dir + " exists", path=config_dir, register=dir_exists)|indent }}}
{{{ ansible_find("Check if the parameter " + parameter + " is present in " + config_dir, paths=config_dir, contains=line_regex, register=dir_parameter, when=find_when)|indent }}}
- {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when)|indent }}}
- {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before)|indent }}}
+ {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when, escape_regex=True)|indent }}}
+ {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before, escape_regex=True)|indent }}}
{{%- endmacro %}}
{{#
From 5635bf94c9274511e3d63feb8d4082c4ec9144f3 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 26 Oct 2021 13:01:27 -0500
Subject: [PATCH 2/5] Fix a couple items from reviewers on ansible_lineinfile
escaping
---
.../ansible/shared.yml | 4 ++--
shared/macros-ansible.jinja | 3 +--
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
index 4016a08721e..3cc18d4476e 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
@@ -5,6 +5,6 @@
# disruption = low
{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
- parameter="$DefaultNetstreamDriver", value="gtls", create=true, separator=" "
- , separator_regex=" ")
+ parameter="$DefaultNetstreamDriver", value="gtls", create=true,
+ separator=" ", separator_regex=" ")
}}}
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 0f8dba56dab..752d220bbfc 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -32,8 +32,7 @@ value: "Setting={{ varname1 }}"
create: {{{ create }}}
{{%- if regex and not escape_regex %}}
regexp: '{{{ regex }}}'
- {{%- endif %}}
- {{%- if regex and escape_regex %}}
+ {{%- elif regex and escape_regex %}}
regexp: '{{ {{{ regex }}} | regex_escape }}'
{{%- endif %}}
{{%- if state == 'present' %}}
From f6541126a4d19bfef8752028467659ab9d9f74ed Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 2 Nov 2021 08:32:18 -0500
Subject: [PATCH 3/5] Fix escaping in ansible_lineinfile macro
---
shared/macros-ansible.jinja | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 752d220bbfc..1e0ba6260bb 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -33,7 +33,7 @@ value: "Setting={{ varname1 }}"
{{%- if regex and not escape_regex %}}
regexp: '{{{ regex }}}'
{{%- elif regex and escape_regex %}}
- regexp: '{{ {{{ regex }}} | regex_escape }}'
+ regexp: {{{ regex }}} | regex_escape
{{%- endif %}}
{{%- if state == 'present' %}}
line: '{{{ new_line }}}'
From ef6d300a707dc272eaa9442ece135009287bfdf5 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 3 Nov 2021 11:15:11 -0500
Subject: [PATCH 4/5] Move regex_escape to ansible_set_config_file_dir
---
shared/macros-ansible.jinja | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 1e0ba6260bb..8e7ce1a1206 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -25,15 +25,13 @@ value: "Setting={{ varname1 }}"
Note that all string-like parameters are single quoted in the YAML.
#}}
-{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False, escape_regex=False) -%}}
+{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False) -%}}
- name: "{{{ msg or rule_title }}}"
lineinfile:
path: '{{{ path }}}'
create: {{{ create }}}
- {{%- if regex and not escape_regex %}}
+ {{%- if regex %}}
regexp: '{{{ regex }}}'
- {{%- elif regex and escape_regex %}}
- regexp: {{{ regex }}} | regex_escape
{{%- endif %}}
{{%- if state == 'present' %}}
line: '{{{ new_line }}}'
@@ -138,19 +136,19 @@ value: "Setting={{ varname1 }}"
{{%- set var_dir = config_dir | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
{{%- set dir_exists = var_dir + "_exists" -%}}
{{%- set dir_parameter = var_dir + "_has_parameter" -%}}
-{{%- set line_regex = prefix_regex + parameter + separator_regex -%}}
+{{%- set line_regex = prefix_regex + "{{\"" + parameter + "\"| regex_escape }}" + separator_regex -%}}
{{%- set find_when = dir_exists + ".stat.isdir is defined and " + dir_exists + ".stat.isdir" -%}}
{{%- set lineinfile_items = "{{ " + dir_parameter + ".files }}" -%}}
{{%- set lineinfile_when = dir_parameter + ".matched" -%}}
{{%- set new_line = parameter + separator + value -%}}
- name: '{{{ msg or rule_title }}}'
block:
- {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True, escape_regex=True)|indent }}}
- {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1', escape_regex=True)|indent }}}
+ {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True)|indent }}}
+ {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1')|indent }}}
{{{ ansible_stat("Check if " + config_dir + " exists", path=config_dir, register=dir_exists)|indent }}}
{{{ ansible_find("Check if the parameter " + parameter + " is present in " + config_dir, paths=config_dir, contains=line_regex, register=dir_parameter, when=find_when)|indent }}}
- {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when, escape_regex=True)|indent }}}
- {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before, escape_regex=True)|indent }}}
+ {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when)|indent }}}
+ {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before)|indent }}}
{{%- endmacro %}}
{{#
From c29550ef26fc283ce5e72038fddf70aa716f4d1c Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 4 Nov 2021 08:53:42 -0500
Subject: [PATCH 5/5] Fix ansible-lint lint issues
---
shared/macros-ansible.jinja | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 8e7ce1a1206..76f05e76b88 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -136,7 +136,7 @@ value: "Setting={{ varname1 }}"
{{%- set var_dir = config_dir | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
{{%- set dir_exists = var_dir + "_exists" -%}}
{{%- set dir_parameter = var_dir + "_has_parameter" -%}}
-{{%- set line_regex = prefix_regex + "{{\"" + parameter + "\"| regex_escape }}" + separator_regex -%}}
+{{%- set line_regex = prefix_regex + "{{ \"" + parameter + "\"| regex_escape }}" + separator_regex -%}}
{{%- set find_when = dir_exists + ".stat.isdir is defined and " + dir_exists + ".stat.isdir" -%}}
{{%- set lineinfile_items = "{{ " + dir_parameter + ".files }}" -%}}
{{%- set lineinfile_when = dir_parameter + ".matched" -%}}

View File

@ -0,0 +1,71 @@
From a5cce64337e8b8617f3bf3ee1311e80d652754ea Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 14 Oct 2021 12:12:16 +0200
Subject: [PATCH] Set sshd priv keys permissions 600 for all products.
---
.../file_permissions_sshd_private_key/rule.yml | 15 +++------------
.../tests/correct_value.pass.sh | 8 +-------
.../tests/multiple_keys.fail.sh | 2 +-
4 files changed, 7 insertions(+), 21 deletions(-)
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
index bda7ae4d53b..ddda4075e21 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -3,11 +3,7 @@ documentation_complete: true
title: 'Verify Permissions on SSH Server Private *_key Key Files'
description: |-
- {{% if product in ['ubuntu1804','opensuse', 'sle12', 'sle15'] %}}
{{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0600") }}}
- {{% else %}}
- {{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0640") }}}
- {{% endif %}}
rationale: |-
If an unauthorized user obtains the private SSH host key file, the host could be
@@ -45,10 +41,10 @@ references:
stigid@sle12: SLES-12-030220
stigid@sle15: SLES-15-040250
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}}'
ocil: |-
- {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}
+ {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}}
template:
name: file_permissions
@@ -56,9 +52,4 @@ template:
filepath: /etc/ssh/
missing_file_pass: 'true'
file_regex: ^.*_key$
- filemode: '0640'
- filemode@sle12: '0600'
- filemode@sle15: '0600'
- filemode@ubuntu1604: '0600'
- filemode@ubuntu1804: '0600'
- filemode@ubuntu2004: '0600'
+ filemode: '0600'
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
index 5790a48..f7cf8d9 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
@@ -2,4 +2,4 @@
#
FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
-chmod 0640 /etc/ssh/*_key
+chmod 0600 /etc/ssh/*_key
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
index 6df9d61b715..7c0d6019702 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
@@ -4,4 +4,4 @@
FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
chmod 0777 $FAKE_KEY
FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX_key)
-chmod 0640 $FAKE_KEY2
+chmod 0600 $FAKE_KEY2

View File

@ -0,0 +1,195 @@
From bac8ca5091aa74eab66691fcb7a6ac0c944de9c6 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 23 Mar 2022 17:50:18 +0100
Subject: [PATCH] Manually edited patch
scap-security-guide-0.1.60-address_pool_directives_maxpoll_rule-PR_7910.patch.
---
.../chronyd_or_ntpd_set_maxpoll/ansible/shared.yml | 6 +++---
.../ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh | 6 +++---
.../chronyd_or_ntpd_set_maxpoll/oval/shared.xml | 4 ++--
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 4 +++-
.../tests/chrony.pass.sh | 3 +++
.../tests/chrony_one_pool_configured.pass.sh | 14 ++++++++++++++
.../tests/chrony_one_pool_misconfigured.fail.sh | 14 ++++++++++++++
.../chrony_one_pool_missing_parameter.fail.sh | 14 ++++++++++++++
.../tests/chrony_one_server_misconfigured.fail.sh | 3 +++
9 files changed, 59 insertions(+), 9 deletions(-)
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
index 3c83850..da0a622 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_rhel
# reboot = false
# strategy = restrict
# complexity = low
@@ -27,7 +27,7 @@
- name: Update the maxpoll values in /etc/chrony.conf
lineinfile:
path: /etc/chrony.conf
- regex: '^(server.*maxpoll) [0-9]+(\s+.*)$'
+ regex: '^((?:server|pool).*maxpoll) [0-9]+(\s+.*)$'
line: '\1 {{ var_time_service_set_maxpoll }}\2'
backrefs: yes
when: chrony_conf_exist_result.stat.exists
@@ -43,7 +43,7 @@
- name: Set the maxpoll values in /etc/chrony.conf
lineinfile:
path: /etc/chrony.conf
- regex: '(^server\s+((?!maxpoll).)*)$'
+ regex: '(^(?:server|pool)\s+((?!maxpoll).)*)$'
line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
backrefs: yes
when: chrony_conf_exist_result.stat.exists
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
index b23deff..54b1b73 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
@@ -8,9 +8,9 @@ config_file="/etc/ntp.conf"
# Set maxpoll values to var_time_service_set_maxpoll
-sed -i "s/^\(server.*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \2/" "$config_file"
+sed -i "s/^\(\(server\|pool\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file"
-# Add maxpoll to server entries without maxpoll
-grep "^server" "$config_file" | grep -v maxpoll | while read -r line ; do
+# Add maxpoll to server or pool entries without maxpoll
+grep "^\(server\|pool\)" "$config_file" | grep -v maxpoll | while read -r line ; do
sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file"
done
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
index 25a8589..76f8101 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
@@ -46,7 +46,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_chrony_set_maxpoll" version="1">
<ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
- <ind:pattern operation="pattern match">^server[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
+ <ind:pattern operation="pattern match">^(?:server|pool)[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -77,7 +77,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_chrony_all_server_has_maxpoll" version="1">
<ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
- <ind:pattern operation="pattern match">^server[\s]+[\S]+[\s]+(.*)</ind:pattern>
+ <ind:pattern operation="pattern match">^(?:server|pool)[\s]+[\S]+[\s]+(.*)</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index 77af724..bd5150b 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -9,8 +9,10 @@ description: |-
{{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or
<tt>/etc/chrony.conf</tt> to continuously poll time servers. To configure
<tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>
- add the following:
+ add the following after each `server` or `pool` entry:
<pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
+ to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
+ should be configured too.
If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
to pass.
{{% if product == "rhcos4" %}}
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
index 38f5031..60dfc29 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
@@ -5,6 +5,9 @@
yum remove -y ntp
+# Remove all pool options
+sed -i "/^pool.*/d" /etc/chrony.conf
+
if ! grep "^server" /etc/chrony.conf ; then
echo "server foo.example.net iburst maxpoll 10" >> /etc/chrony.conf
elif ! grep "^server.*maxpoll 10" /etc/chrony.conf; then
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
new file mode 100644
index 0000000..6cbeb0e
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all server or pool options
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
+
+echo "pool pool.ntp.org iburst maxpoll 16" >> /etc/chrony.conf
+
+systemctl enable chronyd.service
+
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
new file mode 100644
index 0000000..12f2cda
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all server or pool options
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
+
+echo "pool pool.ntp.org iburst maxpoll 18" >> /etc/chrony.conf
+
+systemctl enable chronyd.service
+
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
new file mode 100644
index 0000000..1ef4798
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all server options
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
+
+echo "pool pool.ntp.org iburst" >> /etc/chrony.conf
+
+systemctl enable chronyd.service
+
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
index 0fc7840..6f86faf 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
@@ -5,6 +5,9 @@
yum remove -y ntp
+# Remove all pool options
+sed -i "/^pool.*/d" /etc/chrony.conf
+
if ! grep "^server.*maxpoll 10" /etc/chrony.conf; then
sed -i "s/^server.*/& maxpoll 10/" /etc/chrony.conf
fi
--
2.34.1

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,324 @@
commit 2e1eeff365be8fde302620fae6691ccc523f6f9e
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Thu Feb 24 18:19:45 2022 +0100
Manual edited patch scap-security-guide-0.1.60-rhel9_stig_grub-PR_7931.patch.
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
index c95f1d4..9035eee 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
@@ -29,11 +29,34 @@
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
-<ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_off"
- comment="check forkernel command line parameters random.trust_cpu=off in {{{ grub2_boot_path }}}/grubenv for all kernels"
- check="all" check_existence="all_exist" version="1">
- <ind:object object_ref="object_trust_cpu_rng_boot_param" />
- <ind:state state_ref="state_trust_cpu_rng_boot_param_off" />
+ {{% if product in ['rhel9'] %}}
+ <ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_off"
+ comment="check kernel command line parameters for the argument for all boot entries."
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="obj_grub2_kernel_trust_cpu_rng_entries"/>
+ <ind:state state_ref="state_trust_cpu_rng_boot_param_off"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_on"
+ comment="check kernel command line parameters for the argument for all boot entries."
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="obj_grub2_kernel_trust_cpu_rng_entries"/>
+ <ind:state state_ref="state_trust_cpu_rng_boot_param_on"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_grub2_kernel_trust_cpu_rng_entries" version="1">
+ <ind:path>/boot/loader/entries/</ind:path>
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ {{% else %}}
+
+ <ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_off"
+ comment="check for kernel command line parameters random.trust_cpu=off in {{{ grub2_boot_path }}}/grubenv for all kernels"
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="object_trust_cpu_rng_boot_param"/>
+ <ind:state state_ref="state_trust_cpu_rng_boot_param_off"/>
</ind:textfilecontent54_test>
@@ -50,6 +73,7 @@
<ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+ {{% endif %}}
<ind:textfilecontent54_state id="state_trust_cpu_rng_boot_param_on"
version="1">
@@ -61,5 +85,4 @@
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?random\.trust_cpu=off(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
-
</def-group>
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
index dae640f..b8ff66c 100644
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15
+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15
title: 'Ensure IPv6 is disabled through kernel boot parameter'
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh
new file mode 100644
index 0000000..fc649d7
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+
+# Removes ipv6.disable argument from kernel command line in //boot/loader/entries/*.conf
+
+for file in /boot/loader/entries/*.conf ; do
+ if grep -q '^.*ipv6\.disable=.*' "$file" ; then
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file"
+ fi
+done
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh
new file mode 100644
index 0000000..3c1cde1
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+
+# Break the ipv6.disable argument in kernel command line in /boot/loader/entries/*.conf
+
+for file in /boot/loader/entries/*.conf ; do
+ if grep -q '^.*ipv6\.disable=.*' "$file" ; then
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file"
+ else
+ # no ipv6.disable=arg is present, append it
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts|options\).*\)/\1 ipv6\.disable=0/' "$file"
+ fi
+done
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index b5f55ae..3eebbd9 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -684,3 +684,43 @@ dpkg-query --show --showformat='${db:Status-Status}\n' "{{{ pkgname }}}" 2>/dev/
rpm --quiet -q "{{{ pkgname }}}"
{{%- endif -%}}
{{%- endmacro -%}}
+
+{{#
+
+ Remediation for grub2 bootloader arguments
+#}}
+{{% macro grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) %}}
+{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
+{{% if '/' in ARG_NAME %}}
+{{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
+{{% elif '/' in ARG_NAME_VALUE %}}
+{{{ raise("ARG_NAME_VALUE (" + ARG_NAME_VALUE + ") uses sed path separator (/) in " + rule_id) }}}
+{{% endif %}}
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ ARG_NAME }}}=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/' '/etc/default/grub'
+else
+ # no {{{ ARG_NAME }}}=arg is present, append it
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/' '/etc/default/grub'
+fi
+
+{{% if 'ubuntu' in product %}}
+update-grub
+{{% else %}}
+# Correct the form of kernel command line for each installed kernel in the bootloader
+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+{{% endif %}}
+{{% else %}}
+# Correct grub2 kernelopts value using grub2-editenv
+existing_kernelopts="$(grub2-editenv - list | grep kernelopts)"
+if ! printf '%s' "$existing_kernelopts" | grep -qE '^kernelopts=(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$'; then
+ if test -n "$existing_kernelopts"; then
+ grub2-editenv - set "$existing_kernelopts {{{ ARG_NAME_VALUE }}}"
+ else
+ grub2-editenv - set "kernelopts={{{ ARG_NAME_VALUE }}}"
+ fi
+fi
+{{% endif %}}
+
+{{% endmacro %}}
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
index cecd1f9..fd75db4 100644
--- a/shared/templates/grub2_bootloader_argument/bash.template
+++ b/shared/templates/grub2_bootloader_argument/bash.template
@@ -1,6 +1,6 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
+{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
{{% if '/' in ARG_NAME %}}
{{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
{{% elif '/' in ARG_NAME_VALUE %}}
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
index e8da1fe..3ea8acb 100644
--- a/shared/templates/grub2_bootloader_argument/oval.template
+++ b/shared/templates/grub2_bootloader_argument/oval.template
@@ -2,9 +2,14 @@
<definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
{{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
<criteria operator="AND">
- {{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
- <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
+ {{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
+ {{% if product in ['rhel9'] %}}
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/loader/entries/*.conf" />
+ {{% else %}}
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
+ {{% endif %}}
<criteria operator="OR">
<criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX" />
@@ -22,7 +27,7 @@
</criteria>
</definition>
-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
+{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
check="all" check_existence="all_exist" version="1">
@@ -50,6 +55,21 @@
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+ {{% if product in ["rhel9"] %}}
+ <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
+ comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} for all boot entries."
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="obj_grub2_{{{ SANITIZED_ARG_NAME }}}_entries" />
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_grub2_{{{ SANITIZED_ARG_NAME }}}_entries" version="1">
+ <ind:path>/boot/loader/entries/</ind:path>
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+ {{% else %}}
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grub.cfg for all kernels"
check="all" check_existence="all_exist" version="1">
@@ -68,6 +88,8 @@
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+ {{% endif %}}
+
{{% else %}}
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
diff --git a/shared/templates/grub2_bootloader_argument/template.py b/shared/templates/grub2_bootloader_argument/template.py
index 7c32daa..60951cf 100644
--- a/shared/templates/grub2_bootloader_argument/template.py
+++ b/shared/templates/grub2_bootloader_argument/template.py
@@ -6,6 +6,7 @@ def preprocess(data, lang):
if lang == "oval":
# escape dot, this is used in oval regex
data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
+ data["escaped_arg_name"] = data["arg_name"].replace(".", "\\.")
# replace . with _, this is used in test / object / state ids
data["sanitized_arg_name"] = ssg.utils.escape_id(data["arg_name"])
return data
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh
new file mode 100644
index 0000000..fdf2a5d
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# platform = Red Hat Enterprise Linux 8
+
+# Removes audit argument from kernel command line in /boot/grub2/grubenv
+file="/boot/grub2/grubenv"
+if grep -q '^.*{{{ARG_NAME}}}=.*' "$file" ; then
+ sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 \2/' "$file"
+fi
+
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
new file mode 100644
index 0000000..a56e6d0
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9
+
+# Removes argument from kernel command line in /etc/default/grub
+if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ARG_NAME}}}=.*"' '/etc/default/grub' ; then
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ARG_NAME}}}=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
+fi
+
diff --git a/shared/templates/grub2_bootloader_argument/tests/correct_value.pass.sh b/shared/templates/grub2_bootloader_argument/tests/correct_value.pass.sh
new file mode 100644
index 0000000..b6454a9
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/correct_value.pass.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh
new file mode 100644
index 0000000..5a97ec2
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+# Break the argument in kernel command line in /boot/grub2/grubenv
+file="/boot/grub2/grubenv"
+if grep -q '^.*{{{ARG_NAME}}}=.*' "$file" ; then
+ # modify the GRUB command-line if the arg already exists
+ sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 {{{ARG_NAME}}}=wrong \2/' "$file"
+else
+ # no arg is present, append it
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 {{{ARG_NAME}}}=wrong/' "$file"
+fi
diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
new file mode 100644
index 0000000..09861aa
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+
+# Removes argument from kernel command line in /boot/loader/entries/*.conf
+
+for file in /boot/loader/entries/*.conf ; do
+ if grep -q '^.*{{{ ESCAPED_ARG_NAME }}}=.*' "$file" ; then
+ # modify the GRUB command-line if an audit= arg already exists
+ sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 {{{ARG_NAME}}}=wrong \2/' "$file"
+ else
+ # no audit=arg is present, append it
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 {{{ARG_NAME}}}=wrong/' "$file"
+ fi
+done

View File

@ -0,0 +1,84 @@
commit c68d33e672264e1b4f2c664004d258ddfc198856
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Thu Feb 24 18:15:07 2022 +0100
Manual edited patch scap-security-guide-0.1.60-sysctl_d_directories-PR_7999.patch.
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
new file mode 100644
index 0000000..48a2665
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+. $SHARED/sysctl.sh
+
+setting_name="kernel.randomize_va_space"
+setting_value="2"
+# sysctl -w "$setting_name=$setting_value"
+if grep -q "^$setting_name" /usr/lib/sysctl.d/50-sysctl.conf; then
+ sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /usr/lib/sysctl.d/50-sysctl.conf
+else
+ echo "$setting_name = $setting_value" >> /usr/lib/sysctl.d/50-sysctl.conf
+fi
+
+setting_name="kernel.randomize_va_space"
+setting_value="0"
+# sysctl -w "$setting_name=$setting_value"
+if grep -q "^$setting_name" /etc/sysctl.d/99-sysctl.conf; then
+ sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.d/99-sysctl.conf
+else
+ echo "$setting_name = $setting_value" >> /etc/sysctl.d/99-sysctl.conf
+fi
+
+sysctl --system
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index e4ccd84..3837b31 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -3,6 +3,21 @@
# strategy = disable
# complexity = low
# disruption = medium
+
+- name: List /etc/sysctl.d/*.conf files
+ find:
+ paths: "/etc/sysctl.d/"
+ contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
+ patterns: "*.conf"
+ register: find_sysctl_d
+
+- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
+ replace:
+ path: "{{ item }}"
+ regexp: '^[\s]*{{{ SYSCTLVAR }}}'
+ replace: '#{{{ SYSCTLVAR }}}'
+ loop: "{{ find_sysctl_d.files }}"
+
{{%- if SYSCTLVAL == "" %}}
- (xccdf-var sysctl_{{{ SYSCTLID }}}_value)
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
index a762794..5ec56fd 100644
--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
@@ -4,6 +4,18 @@
# complexity = low
# disruption = medium
. /usr/share/scap-security-guide/remediation_functions
+
+# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
+for f in /etc/sysctl.d/*.conf ; do
+ matching_list=$(grep -P '^(?!#).*[\s]+{{{ SYSCTLVAR }}}.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ # comment out "{{{ SYSCTLVAR }}}" matches to preserve user data
+ sed -i "s/^${entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
{{%- if SYSCTLVAL == "" %}}
{{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}}

View File

@ -0,0 +1,155 @@
commit 3c9a97de3a91b2a8fd85f13bb902e2529dd6fa67
Author: Watson Sato <wsato@redhat.com>
Date: Fri Feb 25 13:51:41 2022 +0100
Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_010331-PR_8055.patch.
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
index 8a28af0..02c69bd 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_all
# reboot = false
# strategy = restrict
# complexity = high
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
index a0f5aeb..853f8ac 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
@@ -31,6 +31,8 @@ rationale: |-
of initiating changes, including upgrades and modifications.
identifiers:
+ cce@rhel8: CCE-88692-9
+ cce@rhel9: CCE-88693-7
cce@sle12: CCE-83234-5
cce@sle15: CCE-85753-2
@@ -40,6 +42,8 @@ references:
disa: CCI-001499
nerc-cip: CIP-003-3 R6
nist: CM-5,CM-5(6),CM-5(6).1
+ srg: SRG-OS-000259-GPOS-00100
+ stigid@rhel8: RHEL-08-010331
stigid@sle12: SLES-12-010872
stigid@sle15: SLES-15-010352
stigid@ubuntu2004: UBTU-20-010427
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
index af07846..6e957c3 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \;
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
index d58616b..55ff9ce 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
chmod -R 755 "$dirPath"
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
index 98d18cd..c2b5b6b 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
DIRS="/lib /lib64"
for dirPath in $DIRS; do
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
index 6df6e2f..40e6c42 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
DIRS="/usr/lib /usr/lib64"
for dirPath in $DIRS; do
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
index adeae4a..fab5f3f 100644
--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
@@ -77,6 +77,7 @@ selections:
- accounts_password_pam_difok
- accounts_max_concurrent_login_sessions
- set_password_hashing_algorithm_systemauth
+ - set_password_hashing_algorithm_passwordauth
- set_password_hashing_algorithm_logindefs
- set_password_hashing_algorithm_libuserconf
- file_owner_etc_shadow
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 5d03125..d51e53a 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -224,6 +224,9 @@ selections:
# RHEL-08-010330
- file_permissions_library_dirs
+ # RHEL-08-010331
+ - dir_permissions_library_dirs
+
# RHEL-08-010340
- file_ownership_library_dirs
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
index 9acb63a..b751a74 100644
--- a/products/rhel9/profiles/stig.profile
+++ b/products/rhel9/profiles/stig.profile
@@ -195,6 +195,9 @@ selections:
# RHEL-08-010330
- file_permissions_library_dirs
+ # RHEL-08-010331
+ - dir_permissions_library_dirs
+
# RHEL-08-010340
- file_ownership_library_dirs
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 1b83798..fef5fd8 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -2758,8 +2758,6 @@ CCE-88688-7
CCE-88689-5
CCE-88690-3
CCE-88691-1
-CCE-88692-9
-CCE-88693-7
CCE-88694-5
CCE-88695-2
CCE-88696-0
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index e4f9dd8..3b4b43a 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -175,6 +175,7 @@ selections:
- dconf_gnome_screensaver_idle_delay
- dconf_gnome_screensaver_lock_enabled
- dir_group_ownership_library_dirs
+- dir_permissions_library_dirs
- dir_perms_world_writable_root_owned
- dir_perms_world_writable_sticky_bits
- directory_group_ownership_var_log_audit
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index d37d2ec..2e0e161 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -186,6 +186,7 @@ selections:
- dconf_gnome_screensaver_idle_delay
- dconf_gnome_screensaver_lock_enabled
- dir_group_ownership_library_dirs
+- dir_permissions_library_dirs
- dir_perms_world_writable_root_owned
- dir_perms_world_writable_sticky_bits
- directory_group_ownership_var_log_audit

View File

@ -0,0 +1,46 @@
commit ae056f1639768deba6f51427419eb73f2e6e7626
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Fri Feb 25 14:20:55 2022 +0100
Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_010359-PR_8131.patch.
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
index 51adb67..ed2734c 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
@@ -27,7 +27,7 @@ references:
cis@ubuntu2004: 1.4.1
cjis: 5.10.1.3
cobit5: APO01.06,BAI01.06,BAI02.01,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS04.07,DSS05.02,DSS05.03,DSS05.05,DSS05.07,DSS06.02,DSS06.06
- disa: CCI-002699,CCI-001744
+ disa: CCI-002696,CCI-002699,CCI-001744
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4
isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 4.1,SR 6.2,SR 7.6'
ism: 1034,1288,1341,1417
@@ -35,8 +35,8 @@ references:
nist: CM-6(a)
nist-csf: DE.CM-1,DE.CM-7,PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1,PR.IP-3
pcidss: Req-11.5
- srg: SRG-OS-000363-GPOS-00150
- stigid@rhel8: RHEL-08-010360
+ srg: SRG-OS-000363-GPOS-00150,SRG-OS-000445-GPOS-00199
+ stigid@rhel8: RHEL-08-010359
stigid@sle12: SLES-12-010500
stigid@sle15: SLES-15-010420
stigid@ubuntu2004: UBTU-20-010450
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 705caa8..d6f0793 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -237,8 +237,10 @@ selections:
- root_permissions_syslibrary_files
- dir_group_ownership_library_dirs
- # RHEL-08-010360
+ # RHEL-08-010359
- package_aide_installed
+
+ # RHEL-08-010360
- aide_scan_notification
# RHEL-08-010370

View File

@ -0,0 +1,326 @@
commit 804ab7d7e48d3d6a93aab8c99a1b71410553983b
Author: Watson Sato <wsato@redhat.com>
Date: Mon Feb 28 11:44:13 2022 +0100
Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch.
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
new file mode 100644
index 0000000..0d8c9e7
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
+{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
+- name: "Find out if /etc/sudoers.d/* files contain file or directory includes"
+ find:
+ path: "/etc/sudoers.d"
+ patterns: "*"
+ contains: '^#include(dir)?\s.*$'
+ register: sudoers_d_includes
+
+- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files"
+ lineinfile:
+ path: "{{ item.path }}"
+ regexp: '^#include(dir)?\s.*$'
+ state: absent
+ with_items: "{{ sudoers_d_includes.files }}"
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
new file mode 100644
index 0000000..fbff5eb
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+
+sudoers_config_file="/etc/sudoers"
+sudoers_config_dir="/etc/sudoers.d"
+sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
+if [ "$sudoers_includedir_count" -gt 1 ]; then
+ sed -i "/#includedir.*/d" "$sudoers_config_file"
+ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+elif [ "$sudoers_includedir_count" -eq 0 ]; then
+ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+else
+ if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
+ sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
+ fi
+fi
+
+sed -i "/^#include\s\+.*/d" "$sudoers_config_file"
+
+if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then
+ sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/*
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
new file mode 100644
index 0000000..59cab0b
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
@@ -0,0 +1,46 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
+ <criteria operator="AND">
+ <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
+ <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
+ <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="audit augenrules rmmod" id="test_sudoers_default_includedir" version="1">
+ <ind:object object_ref="object_sudoers_default_includedir" />
+ <ind:state state_ref="state_sudoers_default_includedir" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sudoers_default_includedir" version="1">
+ <ind:filepath>/etc/sudoers</ind:filepath>
+ <ind:pattern operation="pattern match">^#includedir[\s]+(.*)$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_sudoers_default_includedir" version="1">
+ <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
+ </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="audit augenrules rmmod" id="test_sudoers_without_include" version="1">
+ <ind:object object_ref="object_sudoers_without_include" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sudoers_without_include" version="1">
+ <ind:filepath>/etc/sudoers</ind:filepath>
+ <ind:pattern operation="pattern match">^#include[\s]+.*$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
+ <ind:object object_ref="object_sudoersd_without_includes" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sudoersd_without_includes" version="1">
+ <ind:path>/etc/sudoers.d/</ind:path>
+ <ind:filename operation="pattern match">.*</ind:filename>
+ <ind:pattern operation="pattern match">^#include(dir)?[\s]+.*$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
new file mode 100644
index 0000000..a97bd3e
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: fedora,rhel7,rhel8,rhel9
+
+title: 'Ensure sudo only includes the default configuration directory'
+
+description: |-
+ Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
+ other directories and configuration files from the file currently being parsed.
+
+ Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
+ The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
+ <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
+ Note that the '#' character doesn't denote a comment in the configuration file.
+
+rationale: |-
+ Some <tt>sudo</tt> configurtion options allow users to run programs without re-authenticating.
+ Use of these configuration options makes it easier for one compromised accound to be used to
+ compromise other accounts.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-86277-1
+ cce@rhel8: CCE-86377-9
+ cce@rhel9: CCE-86477-7
+
+references:
+ disa: CCI-000366
+ srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-010379
+
+ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
+
+ocil: |-
+ To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
+ run the following command:
+ <pre>$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d</pre>
+ If only the line <tt>/etc/sudoers:#includedir /etc/sudoers.d</tt> is returned, then the drop-in include configuration is set correctly.
+ Any other line returned is a finding.
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
new file mode 100644
index 0000000..ac0c808
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
new file mode 100644
index 0000000..5bad822
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# duplicate default entry
+if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
new file mode 100644
index 0000000..1e0ab8a
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+sed -i "/#includedir.*/d" /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
new file mode 100644
index 0000000..3f14ecc
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/sudoers.d
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
new file mode 100644
index 0000000..8951507
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/sudoers.d
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
new file mode 100644
index 0000000..ad04880
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+if ! grep -q "#include " /etc/sudoers; then
+ echo "#include /etc/my-sudoers" >> /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
new file mode 100644
index 0000000..09d14ea
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure that there are two different indludedirs
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
new file mode 100644
index 0000000..55a072a
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+sed -i "/#includedir.*/d" /etc/sudoers
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index bfb3753..f5fed4a 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -271,6 +271,9 @@ selections:
# RHEL-08-010376
- sysctl_kernel_perf_event_paranoid
+ # RHEL-08-010379
+ - sudoers_default_includedir
+
# RHEL-08-010380
- sudo_remove_nopasswd
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ec92589..99bccc7 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -478,7 +478,6 @@ CCE-86373-8
CCE-86374-6
CCE-86375-3
CCE-86376-1
-CCE-86377-9
CCE-86378-7
CCE-86379-5
CCE-86380-3
@@ -576,7 +575,6 @@ CCE-86473-6
CCE-86474-4
CCE-86475-1
CCE-86476-9
-CCE-86477-7
CCE-86478-5
CCE-86479-3
CCE-86480-1
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 2411f02..2dbc2e4 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -360,6 +360,7 @@ selections:
- sudo_remove_nopasswd
- sudo_require_reauthentication
- sudo_restrict_privilege_elevation_to_authorized
+- sudoers_default_includedir
- sudoers_validate_passwd
- sysctl_crypto_fips_enabled
- sysctl_fs_protected_hardlinks
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index f0a9601..cd76884 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -371,6 +371,7 @@ selections:
- sudo_remove_nopasswd
- sudo_require_reauthentication
- sudo_restrict_privilege_elevation_to_authorized
+- sudoers_default_includedir
- sudoers_validate_passwd
- sysctl_crypto_fips_enabled
- sysctl_fs_protected_hardlinks

View File

@ -0,0 +1,19 @@
commit b7f5c68f8172e88aed6ce22fb70dc48ef3148ffa
Author: Watson Sato <wsato@redhat.com>
Date: Fri Feb 25 18:23:41 2022 +0100
Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_020221-PR_8173.patch.
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
index 62b6f55..523ab62 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
@@ -41,7 +41,7 @@ references:
srg: SRG-OS-000077-GPOS-00045
stigid@ol7: OL07-00-010270
stigid@rhel7: RHEL-07-010270
- stigid@rhel8: RHEL-08-020220
+ stigid@rhel8: RHEL-08-020221
vmmsrg: SRG-OS-000077-VMM-000440
ocil_clause: |-

View File

@ -0,0 +1,63 @@
From f284885e417d86c408c9f94db02b4b7066d316be Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 7 Feb 2022 11:34:16 +0100
Subject: [PATCH] Add RHEL-08-040321 to RHEL8 STIG profile
The STIG doesn't recommend the systems to target the graphical
environment by default.
---
.../disabling_xwindows/xwindows_runlevel_target/rule.yml | 1 +
products/rhel8/profiles/stig.profile | 3 +++
products/rhel8/profiles/stig_gui.profile | 3 +++
tests/data/profile_stability/rhel8/stig.profile | 1 +
4 files changed, 8 insertions(+)
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
index de0e359a44e..df56a30be80 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
@@ -39,6 +39,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.AC-3,PR.PT-4
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-040321
ocil_clause: 'the X windows display server is running and/or has not been disabled'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 09fa85df181..ffca983d0bd 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1169,6 +1169,9 @@ selections:
# RHEL-08-040320
- xwindows_remove_packages
+ # RHEL-08-040321
+ - xwindows_runlevel_target
+
# RHEL-08-040330
- network_sniffer_disabled
diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile
index d1577215b07..d29ceb9c54e 100644
--- a/products/rhel8/profiles/stig_gui.profile
+++ b/products/rhel8/profiles/stig_gui.profile
@@ -35,3 +35,6 @@ extends: stig
selections:
# RHEL-08-040320
- '!xwindows_remove_packages'
+
+ # RHEL-08-040321
+ - '!xwindows_runlevel_target'
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 9c05c27117c..e4fee44f9f9 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -398,6 +398,7 @@ selections:
- usbguard_generate_policy
- wireless_disable_interfaces
- xwindows_remove_packages
+- xwindows_runlevel_target
- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
- var_accounts_user_umask=077

View File

@ -0,0 +1,492 @@
commit 3cd2b8efbf9d91967e3e65bd2029f7ab3d400314
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Thu Feb 24 18:22:28 2022 +0100
Manual edited patch scap-security-guide-0.1.61-file_groupowner-PR_7791.patch.
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
new file mode 100644
index 0000000..de85c89
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Audit Configuration Files Must Be Owned By Group root'
+
+description: |-
+ All audit configuration files must be owned by group root.
+ <pre>chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*</pre>
+
+rationale: |-
+ Without the capability to restrict which roles and individuals can
+ select which events are audited, unauthorized personnel may be able
+ to prevent the auditing of critical events.
+ Misconfigured audits may degrade the system's performance by
+ overwhelming the audit log. Misconfigured audits may also make it more
+ difficult to establish, correlate, and investigate the events relating
+ to an incident or identify those responsible for one.
+
+severity: medium
+
+references:
+ disa: CCI-000171
+ srg: SRG-OS-000063-GPOS-00032
+ stigid@ubuntu2004: UBTU-20-010135
+
+ocil: |-
+ {{{ describe_file_group_owner(file="/etc/audit/", group="root") }}}
+ {{{ describe_file_group_owner(file="/etc/audit/rules.d/", group="root") }}}
+
+template:
+ name: file_groupowner
+ vars:
+ filepath:
+ - /etc/audit/
+ - /etc/audit/rules.d/
+ file_regex:
+ - ^audit(\.rules|d\.conf)$
+ - ^.*\.rules$
+ filegid: '0'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
new file mode 100644
index 0000000..5235e0d
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+export TESTFILE=/etc/audit/rules.d/test_rule.rules
+export AUDITFILE=/etc/audit/auditd.conf
+mkdir -p /etc/audit/rules.d/
+touch $TESTFILE
+touch $AUDITFILE
+chgrp root $TESTFILE
+chgrp root $AUDITFILE
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
new file mode 100644
index 0000000..52378d8
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+groupadd group_test
+export TESTFILLE=/etc/audit/rules.d/test_rule.rules
+export AUDITFILE=/etc/audit/auditd.conf
+mkdir -p /etc/audit/rules.d/
+touch $TESTFILLE
+touch $AUDITFILE
+chgrp group_test $TESTFILLE
+chgrp group_test $AUDITFILE
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
index 5ddaf9f..b99705d 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
@@ -1,8 +1,15 @@
+{{% if 'ubuntu' in product %}}
+{{% set gid = 'syslog' %}}
+{{% else %}}
+{{% set gid = 'root' %}}
+{{% endif %}}
+
+
documentation_complete: true
title: 'Verify Group Who Owns /var/log Directory'
-description: '{{{ describe_file_group_owner(file="/var/log", group="root") }}}'
+description: '{{{ describe_file_group_owner(file="/var/log", group=gid) }}}'
rationale: |-
The <tt>/var/log</tt> directory contains files with logs of error
@@ -21,13 +28,16 @@ references:
stigid@rhel8: RHEL-08-010260
stigid@ubuntu2004: UBTU-20-010417
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group=gid) }}}'
ocil: |-
- {{{ ocil_file_group_owner(file="/var/log", group="root") }}}
+ {{{ ocil_file_group_owner(file="/var/log", group=gid) }}}
template:
name: file_groupowner
vars:
filepath: /var/log/
filegid: '0'
+ filegid@ubuntu1604: '110'
+ filegid@ubuntu1804: '110'
+ filegid@ubuntu2004: '110'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
new file mode 100644
index 0000000..f654279
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /var/log/syslog File'
+
+description: '{{{ describe_file_group_owner(file="/var/log/syslog", group="adm") }}}'
+
+rationale: |-
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
+ the system and should only be accessed by authorized personnel.
+
+severity: medium
+
+references:
+ disa: CCI-001314
+ srg: SRG-OS-000206-GPOS-00084
+ stigid@ubuntu2004: UBTU-20-010420
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/syslog", group="adm") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/var/log/syslog", group="adm") }}}
+
+template:
+ name: file_groupowner
+ vars:
+ filepath: /var/log/syslog
+ filegid: '4'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
new file mode 100644
index 0000000..655b2cd
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
@@ -0,0 +1,65 @@
+documentation_complete: true
+
+prodtype: ubuntu2004
+
+title: 'Verify that system commands directories are group owned by root'
+
+description: |-
+ System commands files are stored in the following directories by default:
+ <pre>/bin
+ /sbin
+ /usr/bin
+ /usr/sbin
+ /usr/local/bin
+ /usr/local/sbin
+ </pre>
+ All these directories should be owned by the <tt>root</tt> group.
+ If the directory is found to be owned by a group other than root correct
+ its ownership with the following command:
+ <pre>$ sudo chgrp root <i>DIR</i></pre>
+
+rationale: |-
+ If the operating system allows any user to make changes to software
+ libraries, then those changes might be implemented without undergoing the
+ appropriate testing and approvals that are part of a robust change management
+ process.
+ This requirement applies to operating systems with software libraries
+ that are accessible and configurable, as in the case of interpreted languages.
+ Software libraries also include privileged programs which execute with
+ escalated privileges. Only qualified and authorized individuals must be
+ allowed to obtain access to information system components for purposes
+ of initiating changes, including upgrades and modifications.
+
+severity: medium
+
+references:
+ disa: CCI-001495
+ srg: SRG-OS-000258-GPOS-00099
+ stigid@ubuntu2004: UBTU-20-010425
+
+ocil_clause: 'any of these directories are not owned by root group'
+
+ocil: |-
+ System commands are stored in the following directories:
+ <pre>/bin
+ /sbin
+ /usr/bin
+ /usr/sbin
+ /usr/local/bin
+ /usr/local/sbin</pre>
+ For each of these directories, run the following command to find files not
+ owned by root group:
+ <pre>$ sudo find -L <i>$DIR</i> ! -group root -type d \;</pre>
+
+template:
+ name: file_groupowner
+ vars:
+ filepath:
+ - /bin/
+ - /sbin/
+ - /usr/bin/
+ - /usr/sbin/
+ - /usr/local/bin/
+ - /usr/local/sbin/
+ recursive: 'true'
+ filegid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
deleted file mode 100644
index 28df783..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-# platform = multi_platform_sle
-# reboot = false
-# strategy = restrict
-# complexity = medium
-# disruption = medium
-- name: "Read list libraries without root ownership"
- find:
- paths:
- - "/usr/lib"
- - "/usr/lib64"
- - "/lib"
- - "/lib64"
- file_type: "directory"
- register: library_dirs_not_owned_by_root
-
-- name: "Set ownership of system library dirs to root"
- file:
- path: "{{ item.path }}"
- owner: "root"
- state: "directory"
- mode: "{{ item.mode }}"
- with_items: "{{ library_dirs_not_owned_by_root.files }}"
- when: library_dirs_not_owned_by_root.matched > 0
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
new file mode 100644
index 0000000..f61a5f9
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
@@ -0,0 +1,77 @@
+documentation_complete: true
+
+prodtype: ubuntu2004
+
+title: 'Verify that audit tools are owned by group root'
+
+description: |-
+ The {{{ full_name }}} operating system audit tools must have the proper
+ ownership configured to protected against unauthorized access.
+
+ Verify it by running the following command:
+ <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+ /sbin/auditctl root
+ /sbin/aureport root
+ /sbin/ausearch root
+ /sbin/autrace root
+ /sbin/auditd root
+ /sbin/audispd root
+ /sbin/augenrules root
+ </pre>
+
+ Audit tools needed to successfully view and manipulate audit information
+ system activity and records. Audit tools include custom queries and report
+ generators
+
+rationale: |-
+ Protecting audit information also includes identifying and protecting the
+ tools used to view and manipulate log data. Therefore, protecting audit
+ tools is necessary to prevent unauthorized operation on audit information.
+
+ Operating systems providing tools to interface with audit information
+ will leverage user permissions and roles identifying the user accessing the
+ tools and the corresponding rights the user enjoys to make access decisions
+ regarding the access to audit tools.
+
+severity: medium
+
+references:
+ disa: CCI-001493,CCI-001494
+ srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
+ stigid@ubuntu2004: UBTU-20-010201
+
+ocil: |-
+ Verify it by running the following command:
+ <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+ /sbin/auditctl root
+ /sbin/aureport root
+ /sbin/ausearch root
+ /sbin/autrace root
+ /sbin/auditd root
+ /sbin/audispd root
+ /sbin/augenrules root
+ </pre>
+
+ If the command does not return all the above lines, the missing ones
+ need to be added.
+
+ Run the following command to correct the permissions of the missing
+ entries:
+ <pre>$ sudo chown :root [audit_tool] </pre>
+
+ Replace "[audit_tool]" with each audit tool not group-owned by root.
+
+template:
+ name: file_groupowner
+ vars:
+ filepath:
+ - /sbin/auditctl
+ - /sbin/aureport
+ - /sbin/ausearch
+ - /sbin/autrace
+ - /sbin/auditd
+ - /sbin/audispd
+ - /sbin/augenrules
+ filegid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
index 5598e47..a9e8c7d 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
index 7cf507c..33a0c85 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
@@ -1,10 +1,12 @@
#!/bin/bash
+groupadd group_test
+
for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
do
if [[ ! -f $TESTFILE ]]
then
touch $TESTFILE
fi
- chown nobody.nobody $TESTFILE
+ chgrp group_test $TESTFILE
done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
deleted file mode 100644
index f5ca938..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<def-group>
- <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
- {{{ oval_metadata("
- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
- are owned by root.
- ") }}}
- <criteria >
- <criterion test_ref="test_root_permissions_for_syslibrary_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
- <unix:object object_ref="root_permissions_for_system_wide_library_files" />
- </unix:file_test>
-
- <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
- <!-- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
- are owned by root. -->
- <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
- </unix:file_object>
-
- <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
- <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
- </unix:file_state>
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
index 83371b8..3b983de 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15,rhel8,fedora
+prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
title: |-
Verify the system-wide library files in directories
@@ -44,6 +44,7 @@ references:
stigid@rhel8: RHEL-08-010350
stigid@sle12: SLES-12-010875
stigid@sle15: SLES-15-010355
+ stigid@ubuntu2004: UBTU-20-01430
ocil_clause: 'system wide library files are not group owned by root'
@@ -57,3 +58,14 @@ ocil: |-
To find if system-wide library files stored in these directories are not group-owned by
root run the following command for each directory <i>DIR</i>:
<pre>$ sudo find -L <i>DIR</i> ! -group root -type f </pre>
+
+template:
+ name: file_groupowner
+ vars:
+ filepath:
+ - /lib/
+ - /lib64/
+ - /usr/lib/
+ - /usr/lib64/
+ file_regex: ^.*$
+ filegid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
index a4ae285..0e982c3 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
new file mode 100644
index 0000000..a4ae285
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+
+for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
+do
+ if [[ -d $SYSLIBDIRS ]]
+ then
+ find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;
+ fi
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
index c96f65b..23a7703 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
@@ -1,10 +1,11 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
+groupadd group_test
for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
do
if [[ ! -f $TESTFILE ]]
then
touch $TESTFILE
fi
- chown nobody.nobody $TESTFILE
+ chgrp group_test $TESTFILE
done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
new file mode 100644
index 0000000..c96f65b
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
+do
+ if [[ ! -f $TESTFILE ]]
+ then
+ touch $TESTFILE
+ fi
+ chown nobody.nobody $TESTFILE
+done

View File

@ -0,0 +1,278 @@
commit 74bab352f4bb5b52beaf70c6f23f60d4af4f9518
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Thu Feb 24 18:42:09 2022 +0100
Manual edited scap-security-guide-0.1.61-file_owner-PR_7789.patch.
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
new file mode 100644
index 0000000..968ef33
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+title: 'Audit Configuration Files Must Be Owned By Root'
+
+description: |-
+ All audit configuration files must be owned by root user.
+ {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
+ {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
+
+rationale: |-
+ Without the capability to restrict which roles and individuals can
+ select which events are audited, unauthorized personnel may be able
+ to prevent the auditing of critical events.
+ Misconfigured audits may degrade the system's performance by
+ overwhelming the audit log. Misconfigured audits may also make it more
+ difficult to establish, correlate, and investigate the events relating
+ to an incident or identify those responsible for one.
+
+severity: medium
+
+references:
+ disa: CCI-000171
+ srg: SRG-OS-000063-GPOS-00032
+ stigid@ubuntu2004: UBTU-20-010134
+
+ocil: |-
+ {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
+ {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
+
+template:
+ name: file_owner
+ vars:
+ filepath:
+ - /etc/audit/
+ - /etc/audit/rules.d/
+ file_regex:
+ - ^audit(\.rules|d\.conf)$
+ - ^.*\.rules$
+ fileuid: '0'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
new file mode 100644
index 0000000..4d67307
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+chown 0 /etc/audit/audit.rules
+chown 0 /etc/audit/auditd.conf
+chown 0 -R /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
new file mode 100644
index 0000000..337074f
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+useradd testuser_123
+chown testuser_123 /etc/audit/audit.rules
+chown testuser_123 /etc/audit/auditd.conf
+chown testuser_123 -R /etc/audit/rules.d/
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
new file mode 100644
index 0000000..f1bf515
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns /var/log/syslog File'
+
+description: '{{{ describe_file_owner(file="/var/log/syslog", owner="syslog") }}}'
+
+rationale: |-
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
+ the system and should only be accessed by authorized personnel.
+
+severity: medium
+
+references:
+ disa: CCI-001314
+ srg: SRG-OS-000206-GPOS-00084
+ stigid@ubuntu2004: UBTU-20-010421
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="syslog") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/var/log/syslog", owner="syslog") }}}
+
+template:
+ name: file_owner
+ vars:
+ filepath: /var/log/syslog
+ fileuid: '104'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
new file mode 100644
index 0000000..e236238
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
@@ -0,0 +1,55 @@
+documentation_complete: true
+
+title: 'Verify that System Executable Have Root Ownership'
+
+description: |-
+ <pre>/bin
+ /sbin
+ /usr/bin
+ /usr/sbin
+ /usr/local/bin
+ /usr/local/sbin</pre>
+ All these directories should be owned by the <tt>root</tt> user.
+ If any directory <i>DIR</i> in these directories is found
+ to be owned by a user other than root, correct its ownership with the
+ following command:
+ <pre>$ sudo chown root <i>DIR</i></pre>
+
+rationale: |-
+ System binaries are executed by privileged users as well as system services,
+ and restrictive permissions are necessary to ensure that their
+ execution of these programs cannot be co-opted.
+
+severity: medium
+
+references:
+ disa: CCI-001495
+ srg: SRG-OS-000258-GPOS-00099
+ stigid@ubuntu2004: UBTU-20-010424
+
+ocil_clause: 'any system exectables directories are found to not be owned by root'
+
+ocil: |-
+ System executables are stored in the following directories by default:
+ <pre>/bin
+ /sbin
+ /usr/bin
+ /usr/local/bin
+ /usr/local/sbin
+ /usr/sbin</pre>
+ For each of these directories, run the following command to find files
+ not owned by root:
+ <pre>$ sudo find -L <i>DIR/</i> ! -user root -type d -exec chown root {} \;</pre>
+
+template:
+ name: file_owner
+ vars:
+ filepath:
+ - /bin/
+ - /sbin/
+ - /usr/bin/
+ - /usr/sbin/
+ - /usr/local/bin/
+ - /usr/local/sbin/
+ recursive: 'true'
+ fileuid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
new file mode 100644
index 0000000..0c7d9b3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
@@ -0,0 +1,77 @@
+documentation_complete: true
+
+prodtype: ubuntu2004
+
+title: 'Verify that audit tools are owned by root'
+
+description: |-
+ The {{{ full_name }}} operating system audit tools must have the proper
+ ownership configured to protected against unauthorized access.
+
+ Verify it by running the following command:
+ <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+ /sbin/auditctl root
+ /sbin/aureport root
+ /sbin/ausearch root
+ /sbin/autrace root
+ /sbin/auditd root
+ /sbin/audispd root
+ /sbin/augenrules root
+ </pre>
+
+ Audit tools needed to successfully view and manipulate audit information
+ system activity and records. Audit tools include custom queries and report
+ generators
+
+rationale: |-
+ Protecting audit information also includes identifying and protecting the
+ tools used to view and manipulate log data. Therefore, protecting audit
+ tools is necessary to prevent unauthorized operation on audit information.
+
+ Operating systems providing tools to interface with audit information
+ will leverage user permissions and roles identifying the user accessing the
+ tools and the corresponding rights the user enjoys to make access decisions
+ regarding the access to audit tools.
+
+severity: medium
+
+references:
+ disa: CCI-001493,CCI-001494
+ srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
+ stigid@ubuntu2004: UBTU-20-010200
+
+ocil: |-
+ Verify it by running the following command:
+ <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+ /sbin/auditctl root
+ /sbin/aureport root
+ /sbin/ausearch root
+ /sbin/autrace root
+ /sbin/auditd root
+ /sbin/audispd root
+ /sbin/augenrules root
+ </pre>
+
+ If the command does not return all the above lines, the missing ones
+ need to be added.
+
+ Run the following command to correct the permissions of the missing
+ entries:
+ <pre>$ sudo chown root [audit_tool] </pre>
+
+ Replace "[audit_tool]" with each audit tool not owned by root.
+
+template:
+ name: file_owner
+ vars:
+ filepath:
+ - /sbin/auditctl
+ - /sbin/aureport
+ - /sbin/ausearch
+ - /sbin/autrace
+ - /sbin/auditd
+ - /sbin/audispd
+ - /sbin/augenrules
+ fileuid: '0'
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
index 4c76824..487de82 100644
--- a/products/ubuntu2004/profiles/stig.profile
+++ b/products/ubuntu2004/profiles/stig.profile
@@ -452,6 +452,7 @@ selections:
# UBTU-20-010423 The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
# UBTU-20-010424 The Ubuntu operating system must have directories that contain system commands owned by root.
+ - dir_ownership_binary_dirs
# UBTU-20-010425 The Ubuntu operating system must have directories that contain system commands group-owned by root.
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
index 80eaae8..590c9fc 100644
--- a/shared/templates/file_owner/ansible.template
+++ b/shared/templates/file_owner/ansible.template
@@ -25,7 +25,7 @@
- name: Ensure owner on {{{ path }}} recursively
file:
- paths "{{{ path }}}"
+ path: "{{{ path }}}"
state: directory
recurse: yes
owner: "{{{ FILEUID }}}"

View File

@ -0,0 +1,430 @@
commit b56ce1b9070236c1f44e936548d9ff44b2ebe8a3
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Thu Feb 24 18:44:02 2022 +0100
Manual edited patch scap-security-guide-0.1.61-file_permissions-PR_7788.patch.
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh
new file mode 100644
index 0000000..93fd73e
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh
@@ -0,0 +1,14 @@
+# platform = multi_platform_ubuntu
+
+readarray -t files < <(find /var/log/)
+for file in "${files[@]}"; do
+ if basename $file | grep -qE '^.*$'; then
+ chmod 0640 $file
+ fi
+done
+
+if grep -qE "^f \/var\/log\/(btmp|wtmp|lastlog)? " /usr/lib/tmpfiles.d/var.conf; then
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/btmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/wtmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/lastlog[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
+fi
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml
deleted file mode 100644
index dd95ce0..0000000
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<def-group>
- <definition class="compliance" id="permissions_local_var_log" version="1">
- {{{ oval_metadata("
- Checks that files in /var/log have permission at least 0640
- ") }}}
- <criteria operator="AND">
- <criterion test_ref="test_mode_log_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="log file with less restrictive permission than 0640" id="test_mode_log_files" version="1">
- <unix:object object_ref="object_file_mode_log_files" />
- </unix:file_test>
-
- <unix:file_object comment="log files" id="object_file_mode_log_files" version="1">
- <unix:path operation="pattern match">^\/var\/log\/</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">log_files_permission_more_0640</filter>
- <filter action="exclude">var_log_symlinks</filter>
- </unix:file_object>
-
- <unix:file_state id="log_files_permission_more_0640" version="1" operator="OR">
- <!-- if any one of these is true then mode is NOT 0640 (hence the OR operator) -->
- <unix:uexec datatype="boolean">true</unix:uexec>
- <unix:gwrite datatype="boolean">true</unix:gwrite>
- <unix:gexec datatype="boolean">true</unix:gexec>
- <unix:oread datatype="boolean">true</unix:oread>
- <unix:owrite datatype="boolean">true</unix:owrite>
- <unix:oexec datatype="boolean">true</unix:oexec>
- </unix:file_state>
-
- <unix:file_state id="var_log_symlinks" version="1">
- <unix:type operation="equals">symbolic link</unix:type>
- </unix:file_state>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
index 1939531..bd7e984 100644
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
@@ -46,3 +46,10 @@ ocil: |-
<pre>
sudo find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;
</pre>
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/
+ file_regex: '.*'
+ filemode: '0640'
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
index 5317ef2..1793259 100644
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
@@ -1,5 +1,6 @@
#!/bin/bash
+chmod -R 640 /var/log
mkdir -p /var/log/testme
touch /var/log/testme/test.log
chmod 640 /var/log/testme/test.log
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
index 83db1ac..69b0814 100644
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+chmod -R 640 /var/log/
mkdir -p /var/log/testme
chmod 777 /var/log/testme
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh
new file mode 100644
index 0000000..93962ea
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_ubuntu
+
+chmod 0755 /var/log/
+
+if grep -q "^z \/var\/log " /usr/lib/tmpfiles.d/00rsyslog.conf; then
+ sed -i --follow-symlinks "s/\(^z[[:space:]]\+\/var\/log[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10755/" /usr/lib/tmpfiles.d/00rsyslog.conf
+fi
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml
new file mode 100644
index 0000000..73258d4
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /var/log/syslog File'
+
+description: |-
+ {{{ describe_file_permissions(file="/var/log/syslog", perms="0640") }}}
+
+rationale: |-
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
+ the system and should only be accessed by authorized personnel.
+
+severity: medium
+
+references:
+ disa: CCI-001314
+ srg: SRG-OS-000206-GPOS-00084
+ stigid@ubuntu2004: UBTU-20-010422
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /var/log/syslog
+ filemode: '0640'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml
new file mode 100644
index 0000000..a666c76
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml
@@ -0,0 +1,57 @@
+documentation_complete: true
+
+title: 'Verify that System Executable Directories Have Restrictive Permissions'
+
+description: |-
+ System executables are stored in the following directories by default:
+ <pre>/bin
+ /sbin
+ /usr/bin
+ /usr/sbin
+ /usr/local/bin
+ /usr/local/sbin</pre>
+ These directories should not be group-writable or world-writable.
+ If any directory <i>DIR</i> in these directories is found to be
+ group-writable or world-writable, correct its permission with the
+ following command:
+ <pre>$ sudo chmod go-w <i>DIR</i></pre>
+
+rationale: |-
+ System binaries are executed by privileged users, as well as system services,
+ and restrictive permissions are necessary to ensure execution of these programs
+ cannot be co-opted.
+
+severity: medium
+
+references:
+ disa: CCI-001495
+ srg: SRG-OS-000258-GPOS-00099
+ stigid@ubuntu2004: UBTU-20-010423
+
+ocil_clause: 'any of these files are group-writable or world-writable'
+
+ocil: |-
+ System executables are stored in the following directories by default:
+ <pre>/bin
+ /sbin
+ /usr/bin
+ /usr/sbin
+ /usr/local/bin
+ /usr/local/sbin</pre>
+ To find system executables directories that are group-writable or
+ world-writable, run the following command for each directory <i>DIR</i>
+ which contains system executables:
+ <pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre>
+
+template:
+ name: file_permissions
+ vars:
+ filepath:
+ - /bin/
+ - /sbin/
+ - /usr/bin/
+ - /usr/sbin/
+ - /usr/local/bin/
+ - /usr/local/sbin/
+ recursive: 'true'
+ filemode: '0755'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
index 3f7239d..af07846 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_ubuntu
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \;
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
index 1f68586..d58616b 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
@@ -1,5 +1,6 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_ubuntu
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
+ chmod -R 755 "$dirPath"
mkdir -p "$dirPath/testme" && chmod 700 "$dirPath/testme"
done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
index b60a726..98d18cd 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_ubuntu
DIRS="/lib /lib64"
for dirPath in $DIRS; do
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
index 5438b51..6df6e2f 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_ubuntu
DIRS="/usr/lib /usr/lib64"
for dirPath in $DIRS; do
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml
new file mode 100644
index 0000000..da42e99
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml
@@ -0,0 +1,78 @@
+documentation_complete: true
+
+prodtype: ubuntu2004
+
+title: 'Verify that audit tools Have Mode 0755 or less'
+
+description: |-
+ The {{{ full_name }}} operating system audit tools must have the proper
+ permissions configured to protected against unauthorized access.
+
+ Verify it by running the following command:
+ <pre>$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+ /sbin/auditctl 755
+ /sbin/aureport 755
+ /sbin/ausearch 755
+ /sbin/autrace 755
+ /sbin/auditd 755
+ /sbin/audispd 755
+ /sbin/augenrules 755
+ </pre>
+
+ Audit tools needed to successfully view and manipulate audit information
+ system activity and records. Audit tools include custom queries and report
+ generators
+
+rationale: |-
+ Protecting audit information also includes identifying and protecting the
+ tools used to view and manipulate log data. Therefore, protecting audit
+ tools is necessary to prevent unauthorized operation on audit information.
+
+ Operating systems providing tools to interface with audit information
+ will leverage user permissions and roles identifying the user accessing the
+ tools and the corresponding rights the user enjoys to make access decisions
+ regarding the access to audit tools.
+
+severity: medium
+
+references:
+ disa: CCI-001493,CCI-001494
+ srg: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098
+ stigid@ubuntu2004: UBTU-20-010199
+
+ocil: |-
+ Verify it by running the following command:
+ <pre>$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
+
+ /sbin/auditctl 755
+ /sbin/aureport 755
+ /sbin/ausearch 755
+ /sbin/autrace 755
+ /sbin/auditd 755
+ /sbin/audispd 755
+ /sbin/augenrules 755
+ </pre>
+
+ If the command does not return all the above lines, the missing ones
+ need to be added.
+
+ Run the following command to correct the permissions of the missing
+ entries:
+ <pre>$ sudo chmod 0755 [audit_tool] </pre>
+
+ Replace "[audit_tool]" with the audit tool that does not have the
+ correct permissions.
+
+template:
+ name: file_permissions
+ vars:
+ filepath:
+ - /sbin/auditctl
+ - /sbin/aureport
+ - /sbin/ausearch
+ - /sbin/autrace
+ - /sbin/auditd
+ - /sbin/audispd
+ - /sbin/augenrules
+ filemode: '0755'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
index 5d95c98..ab89b27 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
for dirPath in $DIRS; do
find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh
new file mode 100644
index 0000000..59b8838
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
+for dirPath in $DIRS; do
+ find "$dirPath" -perm /022 -type f -exec chmod 0755 '{}' \;
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh
new file mode 100644
index 0000000..9d9ce30
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
+for dirPath in $DIRS; do
+ find "$dirPath" -type f -exec chmod 0777 '{}' \;
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh
new file mode 100644
index 0000000..de388e6
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+ chmod -R 755 "$dirPath"
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
new file mode 100644
index 0000000..913e75e
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+ find "$dirPath" -type d -exec chmod go-w '{}' \;
+ find "$dirPath" -type f -exec chmod go+w '{}' \;
+done
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
index 487de82..091e472 100644
--- a/products/ubuntu2004/profiles/stig.profile
+++ b/products/ubuntu2004/profiles/stig.profile
@@ -448,8 +448,10 @@ selections:
# UBTU-20-010421 The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog.
# UBTU-20-010422 The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive.
+ - file_permissions_var_log_syslog
# UBTU-20-010423 The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
+ - dir_permissions_binary_dirs
# UBTU-20-010424 The Ubuntu operating system must have directories that contain system commands owned by root.
- dir_ownership_binary_dirs
diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template
index 89083e8..6b3616a 100644
--- a/shared/templates/file_permissions/oval.template
+++ b/shared/templates/file_permissions/oval.template
@@ -67,6 +67,11 @@
#}}
<filter action="include">state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_not_{{{ FILEMODE }}}</filter>
{{%- endif %}}
+ <filter action="exclude">exclude_symlinks_{{{ FILEID }}}</filter>
</unix:file_object>
{{% endfor %}}
+
+ <unix:file_state id="exclude_symlinks_{{{ FILEID }}}" version="1">
+ <unix:type operation="equals">symbolic link</unix:type>
+ </unix:file_state>
</def-group>

View File

@ -0,0 +1,315 @@
commit ecedabee39e65415001ba59bf3c927329a10720f
Author: Watson Sato <wsato@redhat.com>
Date: Mon Feb 28 11:40:02 2022 +0100
Manual edited patch scap-security-guide-0.1.61-no_time_servers_chrony-PR_8187.patch.
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
index a7b2a62..25a8589 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
@@ -3,17 +3,25 @@
{{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
to continuously poll the time source servers.") }}}
<criteria operator="OR">
- <criteria operator="AND">
- <criterion comment="check if maxpoll is set in /etc/ntp.conf"
- test_ref="test_ntp_set_maxpoll" />
- <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
- test_ref="test_ntp_all_server_has_maxpoll"/>
+ <criteria operator="OR">
+ <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
+ test_ref="test_ntp_no_server"/>
+ <criteria operator="AND">
+ <criterion comment="check if maxpoll is set in /etc/ntp.conf"
+ test_ref="test_ntp_set_maxpoll" />
+ <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
+ test_ref="test_ntp_all_server_has_maxpoll"/>
+ </criteria>
</criteria>
- <criteria operator="AND">
- <criterion comment="check if maxpoll is set in /etc/chrony.conf"
- test_ref="test_chrony_set_maxpoll" />
- <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
- test_ref="test_chrony_all_server_has_maxpoll"/>
+ <criteria operator="OR">
+ <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
+ test_ref="test_chrony_no_server_nor_pool"/>
+ <criteria operator="AND">
+ <criterion comment="check if maxpoll is set in /etc/chrony.conf"
+ test_ref="test_chrony_set_maxpoll" />
+ <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
+ test_ref="test_chrony_all_server_has_maxpoll"/>
+ </criteria>
</criteria>
</criteria>
</definition>
@@ -77,4 +85,26 @@
<ind:subexpression operation="pattern match" datatype="string">maxpoll \d+</ind:subexpression>
</ind:textfilecontent54_state>
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="check if no server entries have server or pool set in /etc/chrony.conf"
+ id="test_chrony_no_server_nor_pool" version="1">
+ <ind:object object_ref="obj_chrony_no_server_nor_pool" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_chrony_no_server_nor_pool" version="1">
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+ <ind:pattern operation="pattern match">^(?:server|pool).*</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="check if all server entries have maxpoll set in /etc/ntp.conf"
+ id="test_ntp_no_server" version="1">
+ <ind:object object_ref="obj_ntp_no_server_nor_pool" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_ntp_no_server_nor_pool" version="1">
+ <ind:filepath>/etc/ntp.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^server.*</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
</def-group>
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index 854e8e8..77af724 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -11,6 +11,8 @@ description: |-
<tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>
add the following:
<pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
+ If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
+ to pass.
{{% if product == "rhcos4" %}}
<p>
Note that if the remediation shipping with this content is being used, the
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
new file mode 100644
index 0000000..bbae20f
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all pool and server options
+sed -i "/^pool.*/d" /etc/chrony.conf
+sed -i "/^server.*/d" /etc/chrony.conf
+
+systemctl enable chronyd.service
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
new file mode 100644
index 0000000..2244e60
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
@@ -0,0 +1,33 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Ensure Chrony has time sources configured with server directive") }}}
+ <criteria comment="chrony.conf only has server directive">
+ <criterion test_ref="test_chronyd_server_directive_with_server" />
+ <criterion test_ref="test_chronyd_server_directive_no_pool" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+ comment="Ensure at least one time source is set with server directive" id="test_chronyd_server_directive_with_server"
+ version="1">
+ <ind:object object_ref="object_chronyd_server_directive" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object comment="Matches server entries in Chrony conf files"
+ id="object_chronyd_server_directive" version="1">
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*server.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="Ensure no time source is set with pool directive" id="test_chronyd_server_directive_no_pool"
+ version="1">
+ <ind:object object_ref="object_chronyd_no_pool_directive" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object comment="Matches pool entires in Chrony conf files"
+ id="object_chronyd_no_pool_directive" version="1">
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]+pool.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
new file mode 100644
index 0000000..6dc24f1
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+title: 'Ensure Chrony is only configured with the server directive'
+
+description: |-
+ Check that Chrony only has time sources configured with the <tt>server</tt> directive.
+
+rationale: |-
+ Depending on the infrastruture being used the <tt>pool</tt> directive may not be supported.
+
+severity: medium
+
+platform: chrony
+
+warnings:
+ - general: This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.
+
+identifiers:
+ cce@rhel8: CCE-86077-5
+ cce@rhel9: CCE-87077-4
+
+references:
+ disa: CCI-001891
+ srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
+ stigid@rhel8: RHEL-08-030740
+
+ocil_clause: 'a remote time server is not configured or configured with pool directive'
+
+ocil: |-
+ Run the following command and verify that time sources are only configure with <tt>server</tt> directive:
+ <pre># grep -E "^(server|pool)" /etc/chrony.conf</pre>
+ A line with the appropriate server should be returned, any line returned starting with <tt>pool</tt> is a finding.
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
new file mode 100644
index 0000000..d1ba075
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+echo "" > /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
new file mode 100644
index 0000000..12a50eb
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+rm -f /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
new file mode 100644
index 0000000..bffa8b6
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+echo "some line" > /etc/chrony.conf
+echo "another line" >> /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
new file mode 100644
index 0000000..5527f38
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+sed -i "^pool.*" /etc/chrony.conf
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
+echo "server 1.pool.ntp.org" >> /etc/chrony.conf
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
new file mode 100644
index 0000000..616fe88
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+sed -i "^server.*" /etc/chrony.conf
+if ! grep "^pool.*" /etc/chrony.conf; then
+ echo "pool 0.pool.ntp.org" > /etc/chrony.conf
+fi
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
new file mode 100644
index 0000000..21a70dc
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+
+sed -i "^pool.*" /etc/chrony.conf
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 7e142a9..bfb3753 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -910,6 +910,7 @@ selections:
# RHEL-08-030740
# remediation fails because default configuration file contains pool instead of server keyword
- chronyd_or_ntpd_set_maxpoll
+ - chronyd_server_directive
# RHEL-08-030741
- chronyd_client_only
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 0584677..ec92589 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -188,7 +188,6 @@ CCE-86073-4
CCE-86074-2
CCE-86075-9
CCE-86076-7
-CCE-86077-5
CCE-86078-3
CCE-86079-1
CCE-86080-9
@@ -1168,7 +1167,6 @@ CCE-87073-3
CCE-87074-1
CCE-87075-8
CCE-87076-6
-CCE-87077-4
CCE-87078-2
CCE-87079-0
CCE-87080-8
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 26391b9..2411f02 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -154,6 +154,7 @@ selections:
- chronyd_client_only
- chronyd_no_chronyc_network
- chronyd_or_ntpd_set_maxpoll
+- chronyd_server_directive
- clean_components_post_updating
- configure_bashrc_exec_tmux
- configure_bind_crypto_policy
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 31a3264..f0a9601 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -165,6 +165,7 @@ selections:
- chronyd_client_only
- chronyd_no_chronyc_network
- chronyd_or_ntpd_set_maxpoll
+- chronyd_server_directive
- clean_components_post_updating
- configure_bashrc_exec_tmux
- configure_bind_crypto_policy

View File

@ -0,0 +1,80 @@
commit 2a3e271027ddfef1b8ebf55f4d02a0c6a8eb445f
Author: Watson Sato <wsato@redhat.com>
Date: Mon Feb 28 11:12:44 2022 +0100
Manual edited patch scap-security-guide-0.1.61-remove_client_alive_max-PR_8197.patch.
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 5829039..eb6cf83 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -50,7 +50,7 @@ selections:
- var_password_pam_lcredit=1
- var_password_pam_retry=3
- var_password_pam_minlen=15
- - var_sshd_set_keepalive=0
+ # - var_sshd_set_keepalive=0
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
@@ -168,11 +168,13 @@ selections:
# RHEL-08-010190
- dir_perms_world_writable_sticky_bits
- # RHEL-08-010200
- - sshd_set_keepalive_0
-
- # RHEL-08-010201
- - sshd_set_idle_timeout
+ # These two items don't behave as they used to in RHEL8.6 and RHEL9
+ # anymore. They will be disabled for now until an alternative
+ # solution is found.
+ # # RHEL-08-010200
+ # - sshd_set_keepalive_0
+ # # RHEL-08-010201
+ # - sshd_set_idle_timeout
# RHEL-08-010210
- file_permissions_var_log_messages
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index b9eeff5..f181bd9 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -347,8 +347,6 @@ selections:
- sshd_enable_warning_banner
- sshd_print_last_log
- sshd_rekey_limit
-- sshd_set_idle_timeout
-- sshd_set_keepalive_0
- sshd_use_strong_rng
- sshd_x11_use_localhost
- sssd_certificate_verification
@@ -416,7 +414,6 @@ selections:
- var_password_pam_ucredit=1
- var_password_pam_lcredit=1
- var_password_pam_retry=3
-- var_sshd_set_keepalive=0
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 54bf46d..48e7d03 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -358,8 +358,6 @@ selections:
- sshd_enable_warning_banner
- sshd_print_last_log
- sshd_rekey_limit
-- sshd_set_idle_timeout
-- sshd_set_keepalive_0
- sshd_use_strong_rng
- sshd_x11_use_localhost
- sssd_certificate_verification
@@ -426,7 +424,6 @@ selections:
- var_password_pam_ucredit=1
- var_password_pam_lcredit=1
- var_password_pam_retry=3
-- var_sshd_set_keepalive=0
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes

View File

@ -0,0 +1,122 @@
commit e5b8b968d882aa8fa1795dcabf185781f59b5671
Author: Watson Sato <wsato@redhat.com>
Date: Mon Feb 28 12:01:18 2022 +0100
Manual edited patch scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch.
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
index 4cb2f9e..58f91ea 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
@@ -4,7 +4,6 @@
<criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
<criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
test_ref="test_configure_bashrc_exec_tmux" />
- <criterion comment="check tmux is running" test_ref="test_tmux_running"/>
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
@@ -18,13 +17,4 @@
<ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
-
- <unix:process58_test check="all" id="test_tmux_running" comment="is tmux running" version="1">
- <unix:object object_ref="obj_tmux_running"/>
- </unix:process58_test>
-
- <unix:process58_object id="obj_tmux_running" version="1">
- <unix:command_line operation="pattern match">^tmux(?:|[\s]+.*)$</unix:command_line>
- <unix:pid datatype="int" operation="greater than">0</unix:pid>
- </unix:process58_object>
</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
index 6be090b..0e4db6d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
@@ -8,19 +8,11 @@ description: |-
The <tt>tmux</tt> terminal multiplexer is used to implement
automatic session locking. It should be started from
<tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.
- Additionally it must be ensured that the <tt>tmux</tt> process is running
- and it can be verified with the following command:
- <pre>ps all | grep tmux | grep -v grep</pre>
rationale: |-
Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer
provides a mechanism to lock sessions after period of inactivity.
-warnings:
- - general: |-
- The remediation does not start the tmux process, so it must be
- manually started or have the system rebooted after applying the fix.
-
severity: medium
identifiers:
@@ -33,7 +25,7 @@ references:
srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009
stigid@rhel8: RHEL-08-020041
-ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running'
+ocil_clause: 'exec tmux is not present at the end of bashrc'
ocil: |-
To verify that tmux is configured to execute,
@@ -45,9 +37,5 @@ ocil: |-
name=$(ps -o comm= -p $parent)
case "$name" in sshd|login) exec tmux ;; esac
fi</pre>
- To verify that the tmux process is running,
- run the following command:
- <pre>ps all | grep tmux | grep -v grep</pre>
- If the command does not produce output, this is a finding.
platform: machine
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
index 221c186..fbc7590 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
@@ -9,4 +9,3 @@ if [ "$PS1" ]; then
fi
EOF
-tmux new-session -s root -d
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
index 1702bb1..6107f86 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
@@ -10,4 +10,3 @@ if [ "$PS1" ]; then
fi
EOF
-tmux new-session -s root -d
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
deleted file mode 100644
index 6cb9d83..0000000
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-# packages = tmux
-# remediation = none
-
-cat >> /etc/bashrc <<'EOF'
-if [ "$PS1" ]; then
- parent=$(ps -o ppid= -p $$)
- name=$(ps -o comm= -p $parent)
- case "$name" in sshd|login) exec tmux ;; esac
-fi
-EOF
-
-killall tmux || true
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
index f13a8b0..9b46165 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
@@ -101,5 +101,3 @@ if [ -z "$BASHRCSOURCED" ]; then
fi
# vim:ts=4:sw=4
EOF
-
-tmux new-session -s root -d

View File

@ -0,0 +1,382 @@
commit 3064c4bc94047b1ca4c91db6008ded0694121563
Author: Watson Sato <wsato@redhat.com>
Date: Mon Feb 28 10:57:59 2022 +0100
Manual edited patch scap-security-guide-0.1.61-rhel8_stig_audit_rules-PR_8174.patch.
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
index 6c3cc55..9208a17 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
@@ -55,7 +55,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203
stigid@ol7: OL07-00-030420
stigid@rhel7: RHEL-07-030420
- stigid@rhel8: RHEL-08-030540
+ stigid@rhel8: RHEL-08-030490
stigid@sle12: SLES-12-020470
stigid@sle15: SLES-15-030300
stigid@ubuntu2004: UBTU-20-010153
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
index 3e51d48..595824c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
@@ -55,7 +55,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203
stigid@ol7: OL07-00-030430
stigid@rhel7: RHEL-07-030430
- stigid@rhel8: RHEL-08-030530
+ stigid@rhel8: RHEL-08-030490
stigid@sle12: SLES-12-020480
stigid@sle15: SLES-12-030310
stigid@ubuntu2004: UBTU-20-010154
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
index d89875f..470a995 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
@@ -58,7 +58,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
stigid@ol7: OL07-00-030380
stigid@rhel7: RHEL-07-030380
- stigid@rhel8: RHEL-08-030520
+ stigid@rhel8: RHEL-08-030480
stigid@sle12: SLES-12-020430
stigid@sle15: SLES-15-030260
stigid@ubuntu2004: UBTU-20-010149
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
index e6caaeb..4db008f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
@@ -55,7 +55,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
stigid@ol7: OL07-00-030400
stigid@rhel7: RHEL-07-030400
- stigid@rhel8: RHEL-08-030510
+ stigid@rhel8: RHEL-08-030480
stigid@sle12: SLES-12-020450
stigid@sle15: SLES-15-030280
stigid@ubuntu2004: UBTU-20-010150
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index b9ad3c7..cd4b200 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -72,7 +72,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
stigid@ol7: OL07-00-030480
stigid@rhel7: RHEL-07-030480
- stigid@rhel8: RHEL-08-030240
+ stigid@rhel8: RHEL-08-030200
stigid@sle12: SLES-12-020410
stigid@sle15: SLES-15-030210
stigid@ubuntu2004: UBTU-20-010147
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index cedf05f..dc6ef7f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -67,7 +67,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033
stigid@ol7: OL07-00-030450
stigid@rhel7: RHEL-07-030450
- stigid@rhel8: RHEL-08-030230
+ stigid@rhel8: RHEL-08-030200
stigid@sle12: SLES-12-020380
stigid@sle15: SLES-15-030230
stigid@ubuntu2004: UBTU-20-010144
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
index 190509c..e57e177 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
@@ -55,7 +55,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
stigid@ol7: OL07-00-030390
stigid@rhel7: RHEL-07-030390
- stigid@rhel8: RHEL-08-030500
+ stigid@rhel8: RHEL-08-030480
stigid@sle12: SLES-12-020440
stigid@sle15: SLES-15-030270
stigid@ubuntu2004: UBTU-20-010151
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
index 3662262..52ee93a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
@@ -66,7 +66,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033
stigid@ol7: OL07-00-030460
stigid@rhel7: RHEL-07-030460
- stigid@rhel8: RHEL-08-030220
+ stigid@rhel8: RHEL-08-030200
stigid@sle15: SLES-15-030240
stigid@ubuntu2004: UBTU-20-010143
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index ac9d349..c462eb7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -71,7 +71,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
stigid@ol7: OL07-00-030470
stigid@rhel7: RHEL-07-030470
- stigid@rhel8: RHEL-08-030210
+ stigid@rhel8: RHEL-08-030200
stigid@sle12: SLES-12-020390
stigid@sle15: SLES-15-030190
stigid@ubuntu2004: UBTU-20-010145
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index b661a1f..23630ec 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -67,7 +67,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203
stigid@ol7: OL07-00-030440
stigid@rhel7: RHEL-07-030440
- stigid@rhel8: RHEL-08-030270
+ stigid@rhel8: RHEL-08-030200
stigid@sle12: SLES-12-020370
stigid@sle15: SLES-15-030220
stigid@ubuntu2004: UBTU-20-010142
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
index 37620a3..0f25e93 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
@@ -48,7 +48,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
stigid@ol7: OL07-00-030890
stigid@rhel7: RHEL-07-030890
- stigid@rhel8: RHEL-08-030362
+ stigid@rhel8: RHEL-08-030361
stigid@ubuntu2004: UBTU-20-010270
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
index e6b4004..7c5b3b0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
@@ -47,7 +47,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
stigid@ol7: OL07-00-030900
stigid@rhel7: RHEL-07-030900
- stigid@rhel8: RHEL-08-030363
+ stigid@rhel8: RHEL-08-030361
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
{{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
index bfe53b7..209c622 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
@@ -48,7 +48,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
stigid@ol7: OL07-00-030910
stigid@rhel7: RHEL-07-030910
- stigid@rhel8: RHEL-08-030364
+ stigid@rhel8: RHEL-08-030361
stigid@ubuntu2004: UBTU-20-010267
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
index bd246f1..56c644e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
@@ -48,7 +48,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
stigid@ol7: OL07-00-030920
stigid@rhel7: RHEL-07-030920
- stigid@rhel8: RHEL-08-030365
+ stigid@rhel8: RHEL-08-030361
stigid@ubuntu2004: UBTU-20-010268
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
index 5c751cb..4516c7c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
@@ -60,7 +60,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
stigid@ol7: OL07-00-030500
stigid@rhel7: RHEL-07-030500
- stigid@rhel8: RHEL-08-030470
+ stigid@rhel8: RHEL-08-030420
stigid@sle12: SLES-12-020520
stigid@sle15: SLES-15-030160
stigid@ubuntu2004: UBTU-20-010158
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
index 76bcea1..4a845c3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
@@ -63,7 +63,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
stigid@ol7: OL07-00-030550
stigid@rhel7: RHEL-07-030550
- stigid@rhel8: RHEL-08-030460
+ stigid@rhel8: RHEL-08-030420
stigid@sle12: SLES-12-020510
stigid@sle15: SLES-15-030320
stigid@ubuntu2004: UBTU-20-010157
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
index 7c6764d..fc6cf35 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
@@ -63,7 +63,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
stigid@ol7: OL07-00-030510
stigid@rhel7: RHEL-07-030510
- stigid@rhel8: RHEL-08-030440
+ stigid@rhel8: RHEL-08-030420
stigid@sle12: SLES-12-020490
stigid@sle15: SLES-15-030150
stigid@ubuntu2004: UBTU-20-010155
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
index 9bb5ffe..be08972 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
@@ -59,7 +59,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
stigid@ol7: OL07-00-030530
stigid@rhel7: RHEL-07-030530
- stigid@rhel8: RHEL-08-030450
+ stigid@rhel8: RHEL-08-030420
stigid@sle12: SLES-12-020540
stigid@sle15: SLES-15-030180
stigid@ubuntu2004: UBTU-20-010160
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
index c99656c..63aa3f3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
@@ -63,7 +63,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
stigid@ol7: OL07-00-030520
stigid@rhel7: RHEL-07-030520
- stigid@rhel8: RHEL-08-030430
+ stigid@rhel8: RHEL-08-030420
stigid@sle12: SLES-12-020530
stigid@sle15: SLES-15-030170
stigid@ubuntu2004: UBTU-20-010159
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
index aa17002..62cc33d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
@@ -50,7 +50,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
stigid@ol7: OL07-00-030821
stigid@rhel7: RHEL-07-030821
- stigid@rhel8: RHEL-08-030380
+ stigid@rhel8: RHEL-08-030360
stigid@sle12: SLES-12-020740
stigid@sle15: SLES-15-030530
stigid@ubuntu2004: UBTU-20-010180
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index a641eee..5829039 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -561,6 +561,8 @@ selections:
# RHEL-08-020220
- accounts_password_pam_pwhistory_remember_system_auth
+
+ # RHEL-08-020221
- accounts_password_pam_pwhistory_remember_password_auth
# RHEL-08-020230
@@ -713,18 +715,11 @@ selections:
# RHEL-08-030200
- audit_rules_dac_modification_lremovexattr
-
- # RHEL-08-030210
- audit_rules_dac_modification_removexattr
-
- # RHEL-08-030220
- audit_rules_dac_modification_lsetxattr
-
- # RHEL-08-030230
- audit_rules_dac_modification_fsetxattr
-
- # RHEL-08-030240
- audit_rules_dac_modification_fremovexattr
+ - audit_rules_dac_modification_setxattr
# RHEL-08-030250
- audit_rules_privileged_commands_chage
@@ -732,8 +727,6 @@ selections:
# RHEL-08-030260
- audit_rules_execution_chcon
- # RHEL-08-030270
- - audit_rules_dac_modification_setxattr
# RHEL-08-030280
- audit_rules_privileged_commands_ssh_agent
@@ -788,28 +781,18 @@ selections:
# RHEL-08-030360
- audit_rules_kernel_module_loading_init
+ - audit_rules_kernel_module_loading_finit
# RHEL-08-030361
- audit_rules_file_deletion_events_rename
-
- # RHEL-08-030362
- audit_rules_file_deletion_events_renameat
-
- # RHEL-08-030363
- audit_rules_file_deletion_events_rmdir
-
- # RHEL-08-030364
- audit_rules_file_deletion_events_unlink
-
- # RHEL-08-030365
- audit_rules_file_deletion_events_unlinkat
# RHEL-08-030370
- audit_rules_privileged_commands_gpasswd
- # RHEL-08-030380
- - audit_rules_kernel_module_loading_finit
-
# RHEL-08-030390
- audit_rules_kernel_module_loading_delete
@@ -821,41 +804,21 @@ selections:
# RHEL-08-030420
- audit_rules_unsuccessful_file_modification_truncate
-
- # RHEL-08-030430
- audit_rules_unsuccessful_file_modification_openat
-
- # RHEL-08-030440
- audit_rules_unsuccessful_file_modification_open
-
- # RHEL-08-030450
- audit_rules_unsuccessful_file_modification_open_by_handle_at
-
- # RHEL-08-030460
- audit_rules_unsuccessful_file_modification_ftruncate
-
- # RHEL-08-030470
- audit_rules_unsuccessful_file_modification_creat
# RHEL-08-030480
- audit_rules_dac_modification_chown
-
- # RHEL-08-030490
- - audit_rules_dac_modification_chmod
-
- # RHEL-08-030500
- audit_rules_dac_modification_lchown
-
- # RHEL-08-030510
- audit_rules_dac_modification_fchownat
-
- # RHEL-08-030520
- audit_rules_dac_modification_fchown
- # RHEL-08-030530
+ # RHEL-08-030490
+ - audit_rules_dac_modification_chmod
- audit_rules_dac_modification_fchmodat
-
- # RHEL-08-030540
- audit_rules_dac_modification_fchmod
# RHEL-08-030550

View File

@ -0,0 +1,334 @@
commit b2b8afa337bce598b9b56a243e7ad0be7ee9194e
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Fri Feb 25 14:18:51 2022 +0100
Manual edited patch scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch.
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh
new file mode 100644
index 0000000..1c151a1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv
+
+if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then
+ sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml
new file mode 100644
index 0000000..24fdbe4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml
@@ -0,0 +1,19 @@
+<def-group>
+ <definition class="compliance" id="set_password_hashing_algorithm_passwordauth" version="1">
+ {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/password-auth.") }}}
+ <criteria operator="AND">
+ <criterion test_ref="test_pam_unix_passwordauth_sha512" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/password-auth for correct settings" id="test_pam_unix_passwordauth_sha512" version="1">
+ <ind:object object_ref="object_pam_unix_passwordauth_sha512" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object comment="check /etc/pam.d/password-auth for correct settings" id="object_pam_unix_passwordauth_sha512" version="1">
+ <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
new file mode 100644
index 0000000..9375269
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
@@ -0,0 +1,72 @@
+documentation_complete: true
+
+prodtype: fedora,rhel7,rhel8,rhel9,rhv4
+
+title: "Set PAM's Password Hashing Algorithm - password-auth"
+
+description: |-
+ The PAM system service can be configured to only store encrypted
+ representations of passwords. In
+ <tt>/etc/pam.d/password-auth</tt>,
+ the
+ <tt>password</tt> section of the file controls which PAM modules execute
+ during a password change. Set the <tt>pam_unix.so</tt> module in the
+ <tt>password</tt> section to include the argument <tt>sha512</tt>, as shown
+ below:
+ <br />
+ <pre>password sufficient pam_unix.so sha512 <i>other arguments...</i></pre>
+ <br />
+ This will help ensure when local users change their passwords, hashes for
+ the new passwords will be generated using the SHA-512 algorithm. This is
+ the default.
+
+rationale: |-
+ Passwords need to be protected at all times, and encryption is the standard
+ method for protecting passwords. If passwords are not encrypted, they can
+ be plainly read (i.e., clear text) and easily compromised. Passwords that
+ are encrypted with a weak algorithm are no more protected than if they are
+ kepy in plain text.
+ <br /><br />
+ This setting ensures user and group account administration utilities are
+ configured to store only encrypted representations of passwords.
+ Additionally, the <tt>crypt_style</tt> configuration option ensures the use
+ of a strong hashing algorithm that makes password cracking attacks more
+ difficult.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-85943-9
+ cce@rhel8: CCE-85945-4
+ cce@rhel9: CCE-85946-2
+
+references:
+ anssi: BP28(R32)
+ cis-csc: 1,12,15,16,5
+ cis@rhel7: 5.4.3
+ cis@rhel8: 5.4.4
+ cjis: 5.6.2.2
+ cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
+ cui: 3.13.11
+ disa: CCI-000196
+ isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
+ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
+ ism: 0418,1055,1402
+ iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
+ nist: IA-5(c),IA-5(1)(c),CM-6(a)
+ nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
+ pcidss: Req-8.2.1
+ srg: SRG-OS-000073-GPOS-00041
+ stigid@rhel7: RHEL-07-010200
+ stigid@rhel8: RHEL-08-010160
+ vmmsrg: SRG-OS-000480-VMM-002000
+
+ocil_clause: 'it does not'
+
+ocil: |-
+ Inspect the <tt>password</tt> section of <tt>/etc/pam.d/password-auth</tt>
+ and ensure that the <tt>pam_unix.so</tt> module includes the argument
+ <tt>sha512</tt>:
+ <pre>$ grep sha512 /etc/pam.d/password-auth</pre>
+
+platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh
new file mode 100644
index 0000000..a924fe5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then
+ sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh
new file mode 100644
index 0000000..68e925a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/sha512//g" "/etc/pam.d/password-auth"
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
index 02af406..e7503fe 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
@@ -1,7 +1,9 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
AUTH_FILES[0]="/etc/pam.d/system-auth"
+{{%- if product == "rhel7" %}}
AUTH_FILES[1]="/etc/pam.d/password-auth"
+{{%- endif %}}
for pamFile in "${AUTH_FILES[@]}"
do
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
index d76b6f8..a754a84 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
@@ -3,6 +3,9 @@
{{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}}
<criteria operator="AND">
<criterion test_ref="test_pam_unix_sha512" />
+ {{%- if product == "rhel7" %}}
+ <extend_definition comment="check /etc/pam.d/password-auth for correct settings" definition_ref="set_password_hashing_algorithm_passwordauth" />
+ {{%- endif %}}
</criteria>
</definition>
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
index 24ab30d..58fcea9 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
@@ -69,7 +69,7 @@ references:
srg: SRG-OS-000073-GPOS-00041
stigid@ol7: OL07-00-010200
stigid@rhel7: RHEL-07-010200
- stigid@rhel8: RHEL-08-010160
+ stigid@rhel8: RHEL-08-010159
stigid@sle12: SLES-12-010230
stigid@sle15: SLES-15-020170
vmmsrg: SRG-OS-000480-VMM-002000
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
index 7e48176..fb9feec 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
@@ -1,7 +1,9 @@
#!/bin/bash
AUTH_FILES[0]="/etc/pam.d/system-auth"
+{{%- if product == "rhel7" %}}
AUTH_FILES[1]="/etc/pam.d/password-auth"
+{{%- endif %}}
for pamFile in "${AUTH_FILES[@]}"
do
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
index 09bb82d..2f35381 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
@@ -1,7 +1,9 @@
#!/bin/bash
AUTH_FILES[0]="/etc/pam.d/system-auth"
+{{%- if product == "rhel7" %}}
AUTH_FILES[1]="/etc/pam.d/password-auth"
+{{%- endif %}}
for pamFile in "${AUTH_FILES[@]}"
do
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index d76bb38..1045be3 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -54,6 +54,7 @@ selections:
- accounts_password_pam_difok
- accounts_passwords_pam_faillock_deny
- set_password_hashing_algorithm_systemauth
+ - set_password_hashing_algorithm_passwordauth
- set_password_hashing_algorithm_logindefs
- set_password_hashing_algorithm_libuserconf
- require_singleuser_auth
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index d51e53a..705caa8 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -147,6 +147,9 @@ selections:
# RHEL-08-010152
- require_emergency_target_auth
+ # RHEL-08-010159
+ - set_password_hashing_algorithm_passwordauth
+
# RHEL-08-010160
- set_password_hashing_algorithm_systemauth
diff --git a/products/rhv4/profiles/pci-dss.profile b/products/rhv4/profiles/pci-dss.profile
index 90e196e..f1fb1f8 100644
--- a/products/rhv4/profiles/pci-dss.profile
+++ b/products/rhv4/profiles/pci-dss.profile
@@ -115,6 +115,7 @@ selections:
- service_pcscd_enabled
- sssd_enable_smartcards
- set_password_hashing_algorithm_systemauth
+ - set_password_hashing_algorithm_passwordauth
- set_password_hashing_algorithm_logindefs
- set_password_hashing_algorithm_libuserconf
- file_owner_etc_shadow
diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile
index ef28fa1..d17833b 100644
--- a/products/rhv4/profiles/rhvh-stig.profile
+++ b/products/rhv4/profiles/rhvh-stig.profile
@@ -355,6 +355,7 @@ selections:
- set_password_hashing_algorithm_libuserconf
- set_password_hashing_algorithm_logindefs
- set_password_hashing_algorithm_systemauth
+ - set_password_hashing_algorithm_passwordauth
- package_opensc_installed
- var_smartcard_drivers=cac
- configure_opensc_card_drivers
diff --git a/products/rhv4/profiles/rhvh-vpp.profile b/products/rhv4/profiles/rhvh-vpp.profile
index 9be3e34..3b5802d 100644
--- a/products/rhv4/profiles/rhvh-vpp.profile
+++ b/products/rhv4/profiles/rhvh-vpp.profile
@@ -200,6 +200,7 @@ selections:
- accounts_password_pam_unix_remember
- set_password_hashing_algorithm_logindefs
- set_password_hashing_algorithm_systemauth
+ - set_password_hashing_algorithm_passwordauth
- set_password_hashing_algorithm_libuserconf
- no_empty_passwords
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index fef5fd8..d8daeb3 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -69,9 +69,6 @@ CCE-85939-7
CCE-85940-5
CCE-85941-3
CCE-85942-1
-CCE-85943-9
-CCE-85945-4
-CCE-85946-2
CCE-85947-0
CCE-85948-8
CCE-85949-6
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
index f58bcf9..e235d49 100644
--- a/tests/data/profile_stability/rhel8/pci-dss.profile
+++ b/tests/data/profile_stability/rhel8/pci-dss.profile
@@ -1,5 +1,9 @@
+title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
description: Ensures PCI-DSS v3.2.1 security configuration settings are applied.
-documentation_complete: true
+extends: null
+metadata:
+ SMEs:
+ - yuumasato
reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
selections:
- account_disable_post_pw_expiration
@@ -136,4 +141,8 @@ selections:
- var_multiple_time_servers=rhel
- var_sshd_set_keepalive=0
- var_smartcard_drivers=cac
-title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
+platforms: !!set {}
+cpe_names: !!set {}
+platform: null
+filter_rules: ''
+documentation_complete: true
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 3b4b43a..1b4b955 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -332,6 +332,7 @@ selections:
- service_systemd-coredump_disabled
- service_usbguard_enabled
- set_password_hashing_algorithm_logindefs
+- set_password_hashing_algorithm_passwordauth
- set_password_hashing_algorithm_systemauth
- sshd_disable_compression
- sshd_disable_empty_passwords
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 2e0e161..3568e07 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -343,6 +343,7 @@ selections:
- service_systemd-coredump_disabled
- service_usbguard_enabled
- set_password_hashing_algorithm_logindefs
+- set_password_hashing_algorithm_passwordauth
- set_password_hashing_algorithm_systemauth
- sshd_disable_compression
- sshd_disable_empty_passwords

View File

@ -0,0 +1,24 @@
From 92b0f4069bced7d9e1e459db0799d7d2fb9faa59 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 9 Feb 2022 14:47:52 +0100
Subject: [PATCH] Update ocil_clause of encrypt_partitions to exclude boot
partition.
Boot partitions are not part of required partitions to be encrypted.
---
.../software/disk_partitioning/encrypt_partitions/rule.yml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index e9d25a34fbd..13231dc2cc9 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -90,6 +90,7 @@ ocil: |-
/dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
" TYPE="crypto_LUKS"</pre>
<br /><br />
- Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding.
+ The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
+ are not required to use disk encryption and are not a finding.
platform: machine

View File

@ -0,0 +1,34 @@
commit 35b2bc766287571aa1e826344730a41ae790c379
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Fri Feb 25 13:29:19 2022 +0100
Manual edited patch scap-security-guide-0.1.61-update_RHEL_08_010287-PR_8051.patch.
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
index 729e478..caccb6c 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
@@ -28,7 +28,7 @@ references:
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
srg: SRG-OS-000250-GPOS-00093
- stigid@rhel8: RHEL-08-010020
+ stigid@rhel8: RHEL-08-010287
ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 6b9d799..5d03125 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -189,9 +189,7 @@ selections:
# RHEL-08-010260
- file_groupowner_var_log
- # *** SHARED *** #
- # RHEL-08-010290 && RHEL-08-010291
- # *** SHARED *** #
+ # RHEL-08-010287
- configure_ssh_crypto_policy
# RHEL-08-010290

View File

@ -0,0 +1,189 @@
From 133d331a04e1ba27324291006c65c2bfa467e49d Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 1 Feb 2022 16:54:16 +0100
Subject: [PATCH 1/2] Update RHEL-08-010383 to require only one occurrence of a
config.
The V1R5 release of RHEL8 STIG requires that the configuration should be
present only in one configuration file to prevent any ordering problem
when the modules loads the configuration using drop-in files that use
the lexicographically order of file names.
---
.../sudo/sudoers_validate_passwd/ansible/shared.yml | 6 +++---
.../sudo/sudoers_validate_passwd/oval/shared.xml | 12 ++++++------
.../software/sudo/sudoers_validate_passwd/rule.yml | 3 ++-
.../tests/sudoers_validate_passwd_duplicates.fail.sh | 7 +++++++
4 files changed, 18 insertions(+), 10 deletions(-)
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
index 08ffd76aed6..19673634fb3 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
@@ -4,6 +4,6 @@
# complexity = low
# disruption = low
-{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}}
-{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}}
-{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}}
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
index 646e6bfb7c0..b3fadd53bee 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
@@ -8,17 +8,17 @@
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
id="test_sudoers_targetpw_config" version="1">
<ind:object object_ref="object_test_sudoers_targetpw_config" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
id="test_sudoers_rootpw_config" version="1">
<ind:object object_ref="object_test_sudoers_rootpw_config" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
id="test_sudoers_runaspw_config" version="1">
<ind:object object_ref="object_test_sudoers_runaspw_config" />
</ind:textfilecontent54_test>
@@ -26,19 +26,19 @@
<ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
<ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
<ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
<ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index ccc29b77d15..698021d8fd0 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -42,7 +42,8 @@ ocil_clause: 'invoke user passwd when using sudo'
ocil: |-
Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
<pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
- If no results are returned, this is a finding
+ If no results are returned, this is a finding.
+ If results are returned from more than one file location, this is a finding.
If "Defaults !targetpw" is not defined, this is a finding.
If "Defaults !rootpw" is not defined, this is a finding.
If "Defaults !runaspw" is not defined, this is a finding.
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
new file mode 100644
index 00000000000..6247b5230e4
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
+# packages = sudo
+
+echo 'Defaults !targetpw' >> /etc/sudoers
+echo 'Defaults !rootpw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers
From 315b248c77252fc3145cdf34fede98b1a32a7c04 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 9 Feb 2022 15:24:23 +0100
Subject: [PATCH 2/2] Update remediations of sudoers_validate_passwd to remove
duplicates.
---
.../ansible/shared.yml | 20 +++++++++++++++++++
.../sudoers_validate_passwd/bash/shared.sh | 12 +++++++++++
.../tests/sudoers_d_duplicate.fail.sh | 9 +++++++++
3 files changed, 41 insertions(+)
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
index 19673634fb3..399ca1ea3ce 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
@@ -4,6 +4,26 @@
# complexity = low
# disruption = low
+{{%- macro delete_line_in_sudoers_d(line) %}}
+- name: "Find out if /etc/sudoers.d/* files contain {{{ line }}} to be deduplicated"
+ find:
+ path: "/etc/sudoers.d"
+ patterns: "*"
+ contains: '^{{{ line }}}$'
+ register: sudoers_d_defaults
+
+- name: "Remove found occurrences of {{{ line }}} from /etc/sudoers.d/* files"
+ lineinfile:
+ path: "{{ item.path }}"
+ regexp: "^{{{ line }}}$"
+ state: absent
+ with_items: "{{ sudoers_d_defaults.files }}"
+{{%- endmacro %}}
+
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
+
{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
index ea0ac67fa1c..3b327f3fc88 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
@@ -1,5 +1,17 @@
# platform = multi_platform_all
+{{%- macro delete_line_in_sudoers_d(line) %}}
+if grep -x '^{{{line}}}$' /etc/sudoers.d/*; then
+ find /etc/sudoers.d/ -type f -exec sed -i "/{{{line}}}/d" {} \;
+fi
+{{%- endmacro %}}
+
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
+
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
+
+
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
new file mode 100644
index 00000000000..a258d108a00
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
+# packages = sudo
+
+echo 'Defaults !targetpw' >> /etc/sudoers
+echo 'Defaults !rootpw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers
+echo 'Defaults !targetpw' >> /etc/sudoers.d/00-complianceascode.conf
+echo 'Defaults !rootpw' >> /etc/sudoers.d/00-complianceascode.conf
+echo 'Defaults !runaspw' >> /etc/sudoers.d/00-complianceascode.conf

View File

@ -0,0 +1,164 @@
From 17320d95043eb6acec223c6b1fe40f04d58d184d Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 21 Mar 2022 14:55:11 +0100
Subject: [PATCH] 8220.
---
.../ansible/shared.yml | 36 +++++++++++++++++
.../bash/shared.sh | 39 +++++++++++++++++++
.../oval/shared.xml | 4 +-
.../sudo_require_reauthentication/rule.yml | 14 +------
.../tests/multiple_correct_value.fail.sh | 10 +++++
5 files changed, 88 insertions(+), 15 deletions(-)
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
new file mode 100644
index 0000000..b0c67a6
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
@@ -0,0 +1,36 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}}
+- name: "Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to be deduplicated"
+ find:
+ path: "/etc/sudoers.d"
+ patterns: "*"
+ contains: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
+ register: sudoers_d_defaults_timestamp_timeout
+
+- name: "Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files"
+ lineinfile:
+ path: "{{ item.path }}"
+ regexp: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
+ state: absent
+ with_items: "{{ sudoers_d_defaults_timestamp_timeout.files }}"
+
+- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: '^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$'
+ line: 'Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2'
+ validate: /usr/sbin/visudo -cf %s
+ backrefs: yes
+ register: edit_sudoers_timestamp_timeout_option
+
+- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers
+ lineinfile: # noqa 503
+ path: /etc/sudoers
+ line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}'
+ validate: /usr/sbin/visudo -cf %s
+ when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
new file mode 100644
index 0000000..f291f53
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
@@ -0,0 +1,39 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}}
+
+if grep -x '^[\s]*Defaults.*\btimestamp_timeout=.*' /etc/sudoers.d/*; then
+ find /etc/sudoers.d/ -type f -exec sed -i "/^[\s]*Defaults.*\btimestamp_timeout=.*/d" {} \;
+fi
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+ cp /etc/sudoers /etc/sudoers.bak
+ if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then
+ # sudoers file doesn't define Option timestamp_timeout
+ echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
+ else
+ # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
+ if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then
+
+ sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
+ fi
+ fi
+
+ # Check validity of sudoers and cleanup bak
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
+ rm -f /etc/sudoers.bak
+ else
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+ mv /etc/sudoers.bak /etc/sudoers
+ false
+ fi
+else
+ echo "Skipping remediation, /etc/sudoers failed to validate"
+ false
+fi
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
index 8f404ca..dfc319b 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
@@ -6,13 +6,13 @@
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
<ind:object object_ref="obj_sudo_timestamp_timeout"/>
<ind:state state_ref="state_sudo_timestamp_timeout" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sudo_timestamp_timeout" version="1">
- <ind:filepath>/etc/sudoers</ind:filepath>
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout=([-]?[\d]+)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
index 8622d6a..f7a14a8 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
@@ -45,16 +45,4 @@ ocil: |-
<pre>sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d</pre>
The output should be:
<pre>/etc/sudoers:Defaults timestamp_timeout=0</pre> or "timestamp_timeout" is set to a positive number.
-
-template:
- name: sudo_defaults_option
- vars:
- option: timestamp_timeout
- variable_name: "var_sudo_timestamp_timeout"
- # optional minus char added so remediation can detect properly if item is already configured
- option_regex_suffix: '=[-]?\w+\b'
- backends:
- # Template is not able to accomodate this particular check.
- # It needs to check for an integer greater than or equal to zero
- oval: "off"
-
+ If results are returned from more than one file location, this is a finding.
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
new file mode 100644
index 0000000..a258d66
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+ sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers
+else
+ echo "Defaults timestamp_timeout=3" >> /etc/sudoers
+fi
+
+echo "Defaults timestamp_timeout=3" > /etc/sudoers.d/00-complianceascode-test.conf
--
2.34.1

View File

@ -0,0 +1,303 @@
commit 36b22c1b5f2cf6bdbe346cbca9c185f75e5dc8e6
Author: Watson Sato <wsato@redhat.com>
Date: Mon Feb 28 11:28:39 2022 +0100
Manual edited patch scap-security-guide-0.1.61-update_RHEL_08_020041-PR_8146.patch.
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
index 0c544bf..4519460 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
@@ -1,7 +1,11 @@
# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# reboot = true
+# strategy = enable
+# complexity = low
+# disruption = low
if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
- cat >> /etc/bashrc <<'EOF'
+ cat >> /etc/profile.d/tmux.sh <<'EOF'
if [ "$PS1" ]; then
parent=$(ps -o ppid= -p $$)
name=$(ps -o comm= -p $parent)
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
index 00ac349..4cb2f9e 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
@@ -4,21 +4,27 @@
<criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
<criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
test_ref="test_configure_bashrc_exec_tmux" />
+ <criterion comment="check tmux is running" test_ref="test_tmux_running"/>
</criteria>
</definition>
- <ind:textfilecontent54_test check="only one" check_existence="only_one_exists"
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="check tmux is configured to exec on the last line of /etc/bashrc"
id="test_configure_bashrc_exec_tmux" version="1">
<ind:object object_ref="obj_configure_bashrc_exec_tmux" />
- <ind:state state_ref="state_configure_bashrc_exec_tmux" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_configure_bashrc_exec_tmux" version="1">
<ind:behaviors singleline="true" multiline="false" />
- <ind:filepath>/etc/bashrc</ind:filepath>
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
+ <ind:filepath operation="pattern match">^/etc/bashrc$|^/etc/profile\.d/.*$</ind:filepath>
+ <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_configure_bashrc_exec_tmux" version="1">
- <ind:subexpression datatype="string" operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:subexpression>
- </ind:textfilecontent54_state>
+
+ <unix:process58_test check="all" id="test_tmux_running" comment="is tmux running" version="1">
+ <unix:object object_ref="obj_tmux_running"/>
+ </unix:process58_test>
+
+ <unix:process58_object id="obj_tmux_running" version="1">
+ <unix:command_line operation="pattern match">^tmux(?:|[\s]+.*)$</unix:command_line>
+ <unix:pid datatype="int" operation="greater than">0</unix:pid>
+ </unix:process58_object>
</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
index c43b8cb..6be090b 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
@@ -7,12 +7,20 @@ title: 'Support session locking with tmux'
description: |-
The <tt>tmux</tt> terminal multiplexer is used to implement
automatic session locking. It should be started from
- <tt>/etc/bashrc</tt>.
+ <tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.
+ Additionally it must be ensured that the <tt>tmux</tt> process is running
+ and it can be verified with the following command:
+ <pre>ps all | grep tmux | grep -v grep</pre>
rationale: |-
Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer
provides a mechanism to lock sessions after period of inactivity.
+warnings:
+ - general: |-
+ The remediation does not start the tmux process, so it must be
+ manually started or have the system rebooted after applying the fix.
+
severity: medium
identifiers:
@@ -25,17 +33,21 @@ references:
srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009
stigid@rhel8: RHEL-08-020041
-ocil_clause: 'exec tmux is not present at the end of bashrc'
+ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running'
ocil: |-
To verify that tmux is configured to execute,
run the following command:
- <pre>$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc</pre>
+ <pre>$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc /etc/profile.d/*</pre>
The output should return the following:
<pre>if [ "$PS1" ]; then
parent=$(ps -o ppid= -p $$)
name=$(ps -o comm= -p $parent)
case "$name" in sshd|login) exec tmux ;; esac
fi</pre>
+ To verify that the tmux process is running,
+ run the following command:
+ <pre>ps all | grep tmux | grep -v grep</pre>
+ If the command does not produce output, this is a finding.
platform: machine
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
new file mode 100644
index 0000000..221c186
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = tmux
+
+cat >> /etc/bashrc <<'EOF'
+if [ "$PS1" ]; then
+ parent=$(ps -o ppid= -p $$)
+ name=$(ps -o comm= -p $parent)
+ case "$name" in sshd|login) exec tmux ;; esac
+fi
+EOF
+
+tmux new-session -s root -d
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
new file mode 100644
index 0000000..1702bb1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# packages = tmux
+
+
+cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
+if [ "$PS1" ]; then
+ parent=$(ps -o ppid= -p $$)
+ name=$(ps -o comm= -p $parent)
+ case "$name" in sshd|login) exec tmux ;; esac
+fi
+EOF
+
+tmux new-session -s root -d
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.fail.sh
new file mode 100644
index 0000000..1dc38b8
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.fail.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
+if [ "$PS1" ]; then
+ parent=$(ps -o ppid= -p $$)
+ name=$(ps -o comm= -p $parent)
+ case "$name" in sshd|login) exec tmux ;; esac
+fi
+EOF
+
+cat >> /etc/bashrc <<'EOF'
+if [ "$PS1" ]; then
+ parent=$(ps -o ppid= -p $$)
+ name=$(ps -o comm= -p $parent)
+ case "$name" in sshd|login) exec tmux ;; esac
+fi
+EOF
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
new file mode 100644
index 0000000..6cb9d83
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# packages = tmux
+# remediation = none
+
+cat >> /etc/bashrc <<'EOF'
+if [ "$PS1" ]; then
+ parent=$(ps -o ppid= -p $$)
+ name=$(ps -o comm= -p $parent)
+ case "$name" in sshd|login) exec tmux ;; esac
+fi
+EOF
+
+killall tmux || true
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
new file mode 100644
index 0000000..f13a8b0
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+# packages = tmux
+
+cat > /etc/bashrc <<'EOF'
+# /etc/bashrc
+
+# System wide functions and aliases
+# Environment stuff goes in /etc/profile
+
+# It's NOT a good idea to change this file unless you know what you
+# are doing. It's much better to create a custom.sh shell script in
+# /etc/profile.d/ to make custom changes to your environment, as this
+# will prevent the need for merging in future updates.
+
+# Prevent doublesourcing
+if [ -z "$BASHRCSOURCED" ]; then
+ BASHRCSOURCED="Y"
+
+ # are we an interactive shell?
+ if [ "$PS1" ]; then
+ if [ -z "$PROMPT_COMMAND" ]; then
+ case $TERM in
+ xterm*|vte*)
+ if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
+ PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
+ elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then
+ PROMPT_COMMAND="__vte_prompt_command"
+ else
+ PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
+ fi
+ ;;
+ screen*)
+ if [ -e /etc/sysconfig/bash-prompt-screen ]; then
+ PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen
+ else
+ PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
+ fi
+ ;;
+ *)
+ [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
+ ;;
+ esac
+ fi
+ # Turn on parallel history
+ shopt -s histappend
+ history -a
+ # Turn on checkwinsize
+ shopt -s checkwinsize
+ [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "
+ # You might want to have e.g. tty in prompt (e.g. more virtual machines)
+ # and console windows
+ # If you want to do so, just add e.g.
+ # if [ "$PS1" ]; then
+ # PS1="[\u@\h:\l \W]\\$ "
+ # fi
+ # to your custom modification shell script in /etc/profile.d/ directory
+ fi
+
+ if ! shopt -q login_shell ; then # We're not a login shell
+ # Need to redefine pathmunge, it gets undefined at the end of /etc/profile
+ pathmunge () {
+ case ":${PATH}:" in
+ *:"$1":*)
+ ;;
+ *)
+ if [ "$2" = "after" ] ; then
+ PATH=$PATH:$1
+ else
+ PATH=$1:$PATH
+ fi
+ esac
+ }
+
+ # By default, we want umask to get set. This sets it for non-login shell.
+ # Current threshold for system reserved uid/gids is 200
+ # You could check uidgid reservation validity in
+ # /usr/share/doc/setup-*/uidgid file
+ if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
+ umask 002
+ else
+ umask 022
+ fi
+
+ SHELL=/bin/bash
+ # Only display echos from profile.d scripts if we are no login shell
+ # and interactive - otherwise just process them to set envvars
+ for i in /etc/profile.d/*.sh; do
+ if [ -r "$i" ]; then
+ if [ "$PS1" ]; then
+ . "$i"
+ else
+ . "$i" >/dev/null
+ fi
+ fi
+ done
+
+ unset i
+ unset -f pathmunge
+ fi
+
+fi
+# vim:ts=4:sw=4
+EOF
+
+tmux new-session -s root -d

View File

@ -0,0 +1,199 @@
commit 8fe724cfa0f4cea726ddd7adb44cfbba0931b865
Author: Watson Sato <wsato@redhat.com>
Date: Mon Feb 28 10:38:13 2022 +0100
Manual edited patch scap-security-guide-0.1.61-update_RHEL_08_040320-PR_8170.patch.
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
index 5b3afb3..67d6836 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
@@ -14,12 +14,3 @@
- xorg-x11-server-Xwayland
{{% endif %}}
state: absent
-
-
-- name: Switch to multi-user runlevel
- file:
- src: /usr/lib/systemd/system/multi-user.target
- dest: /etc/systemd/system/default.target
- state: link
- force: yes
-
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
index dbabe57..496dc74 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
@@ -12,6 +12,3 @@
{{% if product not in ["rhel7", "ol7"] %}}
{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
{{% endif %}}
-
-# configure run level
-systemctl set-default multi-user.target
\ No newline at end of file
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
index 0710efe..0868ec6 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
@@ -2,10 +2,6 @@
<definition class="compliance" id="xwindows_remove_packages" version="1">
{{{ oval_metadata("Ensure that the default runlevel target is set to multi-user.target.") }}}
<criteria>
- {{%- if init_system == "systemd" and target_oval_version != [5, 10] %}}
- <extend_definition comment="system is configured to boot into multi-user.target"
- definition_ref="xwindows_runlevel_target" />
- {{%- endif %}}
<criterion comment="package xorg-x11-server-Xorg is not installed"
test_ref="package_xorg-x11-server-Xorg_removed" />
<extend_definition comment="package xorg-x11-server-common is removed"
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
index 935766d..00ef7d8 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
@@ -66,5 +66,7 @@ warnings:
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
which might bring your system to an inconsistent state requiring additional configuration to access the system
- again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before
+ again.
+ The rule <tt>xwindows_runlevel_target</tt> can be used to configure the system to boot into the multi-user.target.
+ If a GUI is an operational requirement, a tailored profile that removes this rule should used before
continuing installation.
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh
deleted file mode 100644
index 9bf62a4..0000000
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
-
-systemctl set-default multi-user.target
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh
deleted file mode 100644
index 4eeb697..0000000
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
-
-ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh
new file mode 100644
index 0000000..b3908cf
--- /dev/null
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+{{{ bash_package_install("xorg-x11-server-Xorg") }}}
+{{{ bash_package_install("xorg-x11-server-utils") }}}
+{{{ bash_package_install("xorg-x11-server-common") }}}
+{{% if product not in ["rhel7", "ol7"] %}}
+{{{ bash_package_install("xorg-x11-server-Xwayland") }}}
+{{% endif %}}
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh
new file mode 100644
index 0000000..abafdbd
--- /dev/null
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# based on shared/templates/package_removed/tests/package-installed-removed.pass.sh
+
+{{{ bash_package_install("xorg-x11-server-Xorg") }}}
+{{{ bash_package_install("xorg-x11-server-utils") }}}
+{{{ bash_package_install("xorg-x11-server-common") }}}
+{{% if product not in ["rhel7", "ol7"] %}}
+{{{ bash_package_install("xorg-x11-server-Xwayland") }}}
+{{% endif %}}
+
+{{{ bash_package_remove("xorg-x11-server-Xorg") }}}
+{{{ bash_package_remove("xorg-x11-server-utils") }}}
+{{{ bash_package_remove("xorg-x11-server-common") }}}
+{{% if product not in ["rhel7", "ol7"] %}}
+{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
+{{% endif %}}
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh
new file mode 100644
index 0000000..a403e10
--- /dev/null
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+{{{ bash_package_remove("xorg-x11-server-Xorg") }}}
+{{{ bash_package_remove("xorg-x11-server-utils") }}}
+{{{ bash_package_remove("xorg-x11-server-common") }}}
+{{% if product not in ["rhel7", "ol7"] %}}
+{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
+{{% endif %}}
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh
deleted file mode 100644
index ff7d0ef..0000000
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/bash
-# platform = Red Hat Enterprise Linux 7
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils
-
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh
deleted file mode 100644
index d8ecd8c..0000000
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-# platform = Red Hat Enterprise Linux 7
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils
-
-systemctl set-default graphical.target
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh
deleted file mode 100644
index 14f1a97..0000000
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/bash
-# platform = Red Hat Enterprise Linux 8
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils,xorg-x11-server-Xwayland
-
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh
deleted file mode 100644
index c678ef7..0000000
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-# platform = Red Hat Enterprise Linux 8
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils,xorg-x11-server-Xwayland
-
-systemctl set-default graphical.target
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh
deleted file mode 100644
index bf8a615..0000000
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
-
-systemctl set-default graphical.target
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh
deleted file mode 100644
index 652088b..0000000
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
-
-ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,673 @@
commit 94a680f9601fc2119c08fc6514712611d7f0d935
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Fri Feb 25 14:43:33 2022 +0100
Manual edited patch scap-security-guide-0.1.61-update_RHEL_STIG-PR_8130.patch.
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
index 10203c9..3c9e460 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
@@ -37,7 +37,7 @@ references:
disa: CCI-001499
nist: CM-5(6),CM-5(6).1
srg: SRG-OS-000259-GPOS-00100
- stigid@rhel8: RHEL-08-010350
+ stigid@rhel8: RHEL-08-010351
stigid@sle12: SLES-12-010876
stigid@sle15: SLES-15-010356
stigid@ubuntu2004: UBTU-20-010431
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
index 50fdb17..6a05a2b 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh
new file mode 100644
index 0000000..6a05a2b
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
+
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+ find "$dirPath" -type d -exec chgrp root '{}' \;
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh
new file mode 100644
index 0000000..36461f5
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
+
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+ mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme"
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh
new file mode 100644
index 0000000..3f09e3d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
+
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+ mkdir -p "$dirPath/testme/test2" && chgrp nobody "$dirPath/testme/test2"
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
index 043ad6b..36461f5 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
index e236238..ba923d8 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
@@ -27,7 +27,7 @@ references:
srg: SRG-OS-000258-GPOS-00099
stigid@ubuntu2004: UBTU-20-010424
-ocil_clause: 'any system exectables directories are found to not be owned by root'
+ocil_clause: 'any system executables directories are found to not be owned by root'
ocil: |-
System executables are stored in the following directories by default:
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml
deleted file mode 100644
index 28e193f..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml
+++ /dev/null
@@ -1,28 +0,0 @@
-<def-group>
- <definition class="compliance" id="dir_ownership_library_dirs" version="1">
- {{{ oval_metadata("
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
- directories therein, are owned by root.
- ") }}}
- <criteria operator="AND">
- <criterion test_ref="test_dir_ownership_lib_dir" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="test_dir_ownership_lib_dir" version="1">
- <unix:object object_ref="object_dir_ownership_lib_dir" />
- </unix:file_test>
-
-
- <unix:file_object comment="library directories" id="object_dir_ownership_lib_dir" version="1">
- <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_owner_library_dirs_not_root</filter>
- </unix:file_object>
-
- <unix:file_state id="state_owner_library_dirs_not_root" version="1">
- <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
- </unix:file_state>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
index d6a0bed..f0781b3 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
@@ -27,6 +27,8 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel8: CCE-89021-0
+ cce@rhel9: CCE-89022-8
cce@sle12: CCE-83236-0
cce@sle15: CCE-85735-9
@@ -34,6 +36,7 @@ references:
disa: CCI-001499
nist: CM-5(6),CM-5(6).1
srg: SRG-OS-000259-GPOS-00100
+ stigid@rhel8: RHEL-08-010341
stigid@sle12: SLES-12-010874
stigid@sle15: SLES-15-010354
stigid@ubuntu2004: UBTU-20-010429
@@ -49,3 +52,14 @@ ocil: |-
For each of these directories, run the following command to find files not
owned by root:
<pre>$ sudo find -L <i>$DIR</i> ! -user root -type d -exec chown root {} \;</pre>
+
+template:
+ name: file_owner
+ vars:
+ filepath:
+ - /lib/
+ - /lib64/
+ - /usr/lib/
+ - /usr/lib64/
+ recursive: 'true'
+ fileuid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
similarity index 69%
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
index 0189166..a0d4990 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_rhel
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
find "$dirPath" -type d -exec chown root '{}' \;
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
similarity index 63%
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
index 59b8a18..f366c2d 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
@@ -1,4 +1,5 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_rhel
+groupadd nogroup
DIRS="/lib /lib64"
for dirPath in $DIRS; do
mkdir -p "$dirPath/testme" && chown nobody:nogroup "$dirPath/testme"
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
index a0e4e24..add26b2 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
@@ -1,8 +1,8 @@
<def-group>
<definition class="compliance" id="dir_permissions_library_dirs" version="1">
{{{ oval_metadata("
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
- objects therein, are not group-writable or world-writable.
+ Checks that the directories /lib, /lib64, /usr/lib and /usr/lib64
+ are not group-writable or world-writable.
") }}}
<criteria operator="AND">
<criterion test_ref="dir_test_perms_lib_dir" />
@@ -19,7 +19,7 @@
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
<unix:filename xsi:nil="true" />
<filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">dir_perms_state_symlink</filter>
+ <filter action="exclude">dir_perms_state_nogroupwrite_noworldwrite_symlink</filter>
</unix:file_object>
<unix:file_state id="dir_state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
@@ -27,7 +27,7 @@
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
- <unix:file_state id="dir_perms_state_symlink" version="1">
+ <unix:file_state id="dir_perms_state_nogroupwrite_noworldwrite_symlink" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
index 853f8ac..558eaa7 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
@@ -60,3 +60,14 @@ ocil: |-
To find shared libraries that are group-writable or world-writable,
run the following command for each directory <i>DIR</i> which contains shared libraries:
<pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre>
+
+template:
+ name: file_permissions
+ vars:
+ filepath:
+ - /lib/
+ - /lib64/
+ - /usr/lib/
+ - /usr/lib64/
+ recursive: 'true'
+ filemode: '0755'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
index 7168288..eec7485 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora
# reboot = false
# strategy = restrict
# complexity = medium
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
index a9e8c7d..e352dd3 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
+# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml
deleted file mode 100644
index de81a37..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
-# reboot = false
-# strategy = restrict
-# complexity = medium
-# disruption = medium
-- name: "Read list libraries without root ownership"
- command: "find -L /usr/lib /usr/lib64 /lib /lib64 \\! -user root"
- register: libraries_not_owned_by_root
- changed_when: False
- failed_when: False
- check_mode: no
-
-- name: "Set ownership of system libraries to root"
- file:
- path: "{{ item }}"
- owner: "root"
- with_items: "{{ libraries_not_owned_by_root.stdout_lines }}"
- when: libraries_not_owned_by_root | length > 0
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh
deleted file mode 100644
index c75167d..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
-for LIBDIR in /usr/lib /usr/lib64 /lib /lib64
-do
- if [ -d $LIBDIR ]
- then
- find -L $LIBDIR \! -user root -exec chown root {} \;
- fi
-done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
deleted file mode 100644
index 59ee3d8..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_ownership_library_dirs" version="1">
- {{{ oval_metadata("
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
- objects therein, are owned by root.
- ") }}}
- <criteria operator="AND">
- <criterion test_ref="test_ownership_lib_dir" />
- <criterion test_ref="test_ownership_lib_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="test_ownership_lib_dir" version="1">
- <unix:object object_ref="object_file_ownership_lib_dir" />
- </unix:file_test>
-
- <unix:file_test check="all" check_existence="none_exist" comment="library files uid root" id="test_ownership_lib_files" version="1">
- <unix:object object_ref="object_file_ownership_lib_files" />
- </unix:file_test>
-
- <unix:file_object comment="library directories" id="object_file_ownership_lib_dir" version="1">
- <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_owner_libraries_not_root</filter>
- </unix:file_object>
-
- <unix:file_object comment="library files" id="object_file_ownership_lib_files" version="1">
- <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_owner_libraries_not_root</filter>
- </unix:file_object>
-
- <unix:file_state id="state_owner_libraries_not_root" version="1">
- <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
- </unix:file_state>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
index dfedd25..81089d3 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
@@ -59,3 +59,14 @@ ocil: |-
For each of these directories, run the following command to find files not
owned by root:
<pre>$ sudo find -L <i>$DIR</i> ! -user root -exec chown root {} \;</pre>
+
+template:
+ name: file_owner
+ vars:
+ filepath:
+ - /lib/
+ - /lib64/
+ - /usr/lib/
+ - /usr/lib64/
+ file_regex: ^.*$
+ fileuid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh
new file mode 100644
index 0000000..92c6a08
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
+
+for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
+do
+ if [[ -d $SYSLIBDIRS ]]
+ then
+ find $SYSLIBDIRS ! -user root -type f -exec chown root '{}' \;
+ fi
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh
new file mode 100644
index 0000000..84da71f
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh
@@ -0,0 +1,11 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
+
+useradd user_test
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
+do
+ if [[ ! -f $TESTFILE ]]
+ then
+ touch $TESTFILE
+ fi
+ chown user_test $TESTFILE
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml
deleted file mode 100644
index cf9eeba..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
-# reboot = false
-# strategy = restrict
-# complexity = high
-# disruption = medium
-- name: "Read list of world and group writable files in libraries directories"
- command: "find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f"
- register: world_writable_library_files
- changed_when: False
- failed_when: False
- check_mode: no
-
-- name: "Disable world/group writability to library files"
- file:
- path: "{{ item }}"
- mode: "go-w"
- with_items: "{{ world_writable_library_files.stdout_lines }}"
- when: world_writable_library_files.stdout_lines | length > 0
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh
deleted file mode 100644
index af04ad6..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# platform = multi_platform_all
-DIRS="/lib /lib64 /usr/lib /usr/lib64"
-for dirPath in $DIRS; do
- find "$dirPath" -perm /022 -type f -exec chmod go-w '{}' \;
-done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
deleted file mode 100644
index f25c522..0000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
+++ /dev/null
@@ -1,46 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_permissions_library_dirs" version="1">
- {{{ oval_metadata("
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
- objects therein, are not group-writable or world-writable.
- ") }}}
- <criteria operator="AND">
- <criterion test_ref="test_perms_lib_dir" />
- <criterion test_ref="test_perms_lib_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="test_perms_lib_dir" version="1">
- <unix:object object_ref="object_file_permissions_lib_dir" />
- </unix:file_test>
-
- <unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="test_perms_lib_files" version="1">
- <unix:object object_ref="object_file_permissions_lib_files" />
- </unix:file_test>
-
- <unix:file_object comment="library directories" id="object_file_permissions_lib_dir" version="1">
- <!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
- <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">perms_state_symlink</filter>
- </unix:file_object>
-
- <unix:file_object comment="library files" id="object_file_permissions_lib_files" version="1">
- <!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
- <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">perms_state_symlink</filter>
- </unix:file_object>
-
- <unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
- <unix:gwrite datatype="boolean">true</unix:gwrite>
- <unix:owrite datatype="boolean">true</unix:owrite>
- </unix:file_state>
-
- <unix:file_state id="perms_state_symlink" version="1">
- <unix:type operation="equals">symbolic link</unix:type>
- </unix:file_state>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
index 902d8b5..e9afb91 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
@@ -60,3 +60,14 @@ ocil: |-
To find shared libraries that are group-writable or world-writable,
run the following command for each directory <i>DIR</i> which contains shared libraries:
<pre>$ sudo find -L <i>DIR</i> -perm /022 -type f</pre>
+
+template:
+ name: file_permissions
+ vars:
+ filepath:
+ - /lib/
+ - /lib64/
+ - /usr/lib/
+ - /usr/lib64/
+ file_regex: ^.*$
+ filemode: '0755'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
similarity index 100%
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
index 3b983de..3a1e5ba 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
@@ -4,7 +4,7 @@ prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
title: |-
Verify the system-wide library files in directories
- "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are owned by root.
+ "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
description: |-
System-wide library files are stored in the following directories
@@ -15,7 +15,7 @@ description: |-
/usr/lib64
</pre>
All system-wide shared library files should be protected from unauthorised
- access. If any of these files is not owned by root, correct its owner with
+ access. If any of these files is not group-owned by root, correct its group-owner with
the following command:
<pre>$ sudo chgrp root <i>FILE</i></pre>
@@ -46,7 +46,7 @@ references:
stigid@sle15: SLES-15-010355
stigid@ubuntu2004: UBTU-20-01430
-ocil_clause: 'system wide library files are not group owned by root'
+ocil_clause: 'system wide library files are not group-owned by root'
ocil: |-
System-wide library files are stored in the following directories:
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
index a4ae285..5356d37 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
index c96f65b..9636acf 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
do
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index d6f0793..5b2cc0f 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -233,8 +233,13 @@ selections:
# RHEL-08-010340
- file_ownership_library_dirs
+ # RHEL-08-010341
+ - dir_ownership_library_dirs
+
# RHEL-08-010350
- root_permissions_syslibrary_files
+
+ # RHEL-08-010351
- dir_group_ownership_library_dirs
# RHEL-08-010359
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index d8daeb3..0584677 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -3074,8 +3074,6 @@ CCE-89017-8
CCE-89018-6
CCE-89019-4
CCE-89020-2
-CCE-89021-0
-CCE-89022-8
CCE-89023-6
CCE-89024-4
CCE-89025-1
diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template
index 68fc2e1..0b4ab59 100644
--- a/shared/templates/file_groupowner/ansible.template
+++ b/shared/templates/file_groupowner/ansible.template
@@ -12,6 +12,7 @@
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
+ hidden: yes
register: files_found
- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template
index fd2e5db..64a4944 100644
--- a/shared/templates/file_groupowner/oval.template
+++ b/shared/templates/file_groupowner/oval.template
@@ -45,6 +45,10 @@
{{%- else %}}
<unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
{{%- endif %}}
+ <filter action="exclude">symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}</filter>
</unix:file_object>
{{% endfor %}}
+ <unix:file_state id="symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}" version="1">
+ <unix:type operation="equals">symbolic link</unix:type>
+ </unix:file_state>
</def-group>
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
index 590c9fc..dba9e65 100644
--- a/shared/templates/file_owner/ansible.template
+++ b/shared/templates/file_owner/ansible.template
@@ -12,6 +12,7 @@
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
+ hidden: yes
register: files_found
- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template
index 105e29c..777831d 100644
--- a/shared/templates/file_owner/oval.template
+++ b/shared/templates/file_owner/oval.template
@@ -44,6 +44,10 @@
{{%- else %}}
<unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
{{%- endif %}}
+ <filter action="exclude">symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}</filter>
</unix:file_object>
{{% endfor %}}
+ <unix:file_state id="symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}" version="1">
+ <unix:type operation="equals">symbolic link</unix:type>
+ </unix:file_state>
</def-group>
diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template
index fc211bd..6d4dedc 100644
--- a/shared/templates/file_permissions/ansible.template
+++ b/shared/templates/file_permissions/ansible.template
@@ -12,6 +12,7 @@
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
+ hidden: yes
register: files_found
- name: Set permissions for {{{ path }}} file(s)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 1b4b955..c2522c9 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -175,6 +175,7 @@ selections:
- dconf_gnome_screensaver_idle_delay
- dconf_gnome_screensaver_lock_enabled
- dir_group_ownership_library_dirs
+- dir_ownership_library_dirs
- dir_permissions_library_dirs
- dir_perms_world_writable_root_owned
- dir_perms_world_writable_sticky_bits
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 3568e07..95d87fd 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -186,6 +186,7 @@ selections:
- dconf_gnome_screensaver_idle_delay
- dconf_gnome_screensaver_lock_enabled
- dir_group_ownership_library_dirs
+- dir_ownership_library_dirs
- dir_permissions_library_dirs
- dir_perms_world_writable_root_owned
- dir_perms_world_writable_sticky_bits

View File

@ -0,0 +1,137 @@
commit 11140ac5d67f256a7d3c8fdac9eca73c007dabb8
Author: Watson Sato <wsato@redhat.com>
Date: Mon Feb 28 11:04:30 2022 +0100
Manual edited patch scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch.
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
index 1d53a71..2e47e16 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
@@ -46,7 +46,7 @@ ocil_clause: 'that is not the case'
ocil: |-
To check the value for maximum consecutive repeating characters, run the following command:
<pre>$ grep maxclassrepeat /etc/security/pwquality.conf</pre>
- For DoD systems, the output should show <tt>maxclassrepeat</tt>=4.
+ For DoD systems, the output should show <tt>maxclassrepeat</tt>=4 or less but greater than zero.
platform: pam
@@ -55,3 +55,4 @@ template:
vars:
variable: maxclassrepeat
operation: less than or equal
+ zero_comparison_operation: greater than
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
new file mode 100644
index 0000000..5d91559
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 4/' /etc/security/pwquality.conf
+else
+ echo "maxclassrepeat = 4" >> /etc/security/pwquality.conf
+fi
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
new file mode 100644
index 0000000..4bd8070
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 2/' /etc/security/pwquality.conf
+else
+ echo "maxclassrepeat = 2" >> /etc/security/pwquality.conf
+fi
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
new file mode 100644
index 0000000..61538a4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = -1/' /etc/security/pwquality.conf
+else
+ echo "maxclassrepeat = -1" >> /etc/security/pwquality.conf
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
new file mode 100644
index 0000000..2218250
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 5/' /etc/security/pwquality.conf
+else
+ echo "maxclassrepeat = 5" >> /etc/security/pwquality.conf
+fi
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
new file mode 100644
index 0000000..780873c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 0/' /etc/security/pwquality.conf
+else
+ echo "maxclassrepeat = 0" >> /etc/security/pwquality.conf
+fi
+
diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template
index 332a280..b995db1 100644
--- a/shared/templates/accounts_password/oval.template
+++ b/shared/templates/accounts_password/oval.template
@@ -7,11 +7,14 @@
</criteria>
</definition>
- <ind:textfilecontent54_test check="all"
+ <ind:textfilecontent54_test check="all" state_operator="AND"
comment="check the configuration of /etc/security/pwquality.conf"
id="test_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
<ind:object object_ref="obj_password_pam_pwquality_{{{ VARIABLE }}}" />
<ind:state state_ref="state_password_pam_{{{ VARIABLE }}}" />
+ {{%- if ZERO_COMPARISON_OPERATION %}}
+ <ind:state state_ref="state_password_pam_{{{ VARIABLE }}}_zero_comparison" />
+ {{%- endif %}}
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
@@ -24,5 +27,11 @@
<ind:subexpression datatype="int" operation="{{{ OPERATION }}}" var_ref="var_password_pam_{{{ VARIABLE }}}" />
</ind:textfilecontent54_state>
+ {{%- if ZERO_COMPARISON_OPERATION %}}
+ <ind:textfilecontent54_state id="state_password_pam_{{{ VARIABLE }}}_zero_comparison" version="1">
+ <ind:subexpression datatype="int" operation="{{{ ZERO_COMPARISON_OPERATION }}}" >0</ind:subexpression>
+ </ind:textfilecontent54_state>
+ {{%- endif %}}
+
<external_variable comment="External variable for pam_{{{ VARIABLE }}}" datatype="int" id="var_password_pam_{{{ VARIABLE }}}" version="3" />
</def-group>
diff --git a/shared/templates/accounts_password/template.py b/shared/templates/accounts_password/template.py
index 65c25ec..ab849d1 100644
--- a/shared/templates/accounts_password/template.py
+++ b/shared/templates/accounts_password/template.py
@@ -1,4 +1,7 @@
+from ssg.utils import parse_template_boolean_value
+
def preprocess(data, lang):
if lang == "oval":
data["sign"] = "-?" if data["variable"].endswith("credit") else ""
+ data["zero_comparison_operation"] = data.get("zero_comparison_operation", None)
return data

View File

@ -5,7 +5,7 @@
Name: scap-security-guide
Version: 0.1.57
Release: 5%{?dist}
Release: 9%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System
@ -74,6 +74,49 @@ Patch53: scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch
Patch54: scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch
Patch55: scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch
Patch56: scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch
Patch57: scap-security-guide-0.1.58-RHEL_08_010400-PR_7411.patch
Patch58: scap-security-guide-0.1.58-BZ_1942281-PR_7471.patch
Patch59: scap-security-guide-0.1.59-add_missing_stig_ids-PR_7597.patch
Patch60: scap-security-guide-0.1.59-fix_6844-PR_7673.patch
Patch61: scap-security-guide-0.1.59-fix_7333-PR_7692.patch
Patch62: scap-security-guide-0.1.59-sshd_priv_keys_600-PR_7742.patch
Patch63: scap-security-guide-0.1.59-BZ1884687-PR_7770.patch
Patch64: scap-security-guide-0.1.59-BZ1884687D-PR_7837.patch
Patch65: scap-security-guide-0.1.59-BZ1884687C-PR_7824.patch
Patch66: scap-security-guide-0.1.59-BZ1884687B-PR_7790.patch
Patch67: scap-security-guide-0.1.60-rhel8_stig_v1r4-PR_7930.patch
Patch68: scap-security-guide-0.1.60-sysctl_d_directories-PR_7999.patch
Patch69: scap-security-guide-0.1.60-rhel9_stig_grub-PR_7931.patch
Patch70: scap-security-guide-0.1.59-multifile_templates-PR_7405.patch
Patch71: scap-security-guide-0.1.61-file_groupowner-PR_7791.patch
Patch72: scap-security-guide-0.1.61-file_owner-PR_7789.patch
Patch73: scap-security-guide-0.1.61-file_permissions-PR_7788.patch
Patch74: scap-security-guide-0.1.61-update_RHEL_08_010287-PR_8051.patch
Patch75: scap-security-guide-0.1.61-add_RHEL_08_010331-PR_8055.patch
Patch76: scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch
Patch77: scap-security-guide-0.1.61-add_RHEL_08_010359-PR_8131.patch
Patch78: scap-security-guide-0.1.61-update_RHEL_STIG-PR_8130.patch
Patch79: scap-security-guide-0.1.61-update_RHEL_08_STIG-PR_8139.patch
Patch80: scap-security-guide-0.1.61-add_RHEL_08_040321-PR_8169.patch
Patch81: scap-security-guide-0.1.61-add_RHEL_08_020221-PR_8173.patch
Patch82: scap-security-guide-0.1.61-update_RHEL_08_040320-PR_8170.patch
Patch83: scap-security-guide-0.1.61-rhel8_stig_audit_rules-PR_8174.patch
Patch84: scap-security-guide-0.1.61-update_RHEL_08_010030-PR_8183.patch
Patch85: scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch
Patch86: scap-security-guide-0.1.61-update_RHEL_08_010383-PR_8138.patch
Patch87: scap-security-guide-0.1.61-remove_client_alive_max-PR_8197.patch
Patch88: scap-security-guide-0.1.61-update_RHEL_08_020041-PR_8146.patch
Patch89: scap-security-guide-0.1.61-no_time_servers_chrony-PR_8187.patch
Patch90: scap-security-guide-0.1.61-update_RHEL_08_010385-PR_8220.patch
Patch91: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
Patch92: scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch
Patch93: scap-security-guide-0.1.58-templated_tests-PR_7211.patch
Patch94: reorder-reference-in-alphabetical-order.patch
Patch95: scap-security-guide-0.1.59-fix_accounts_umask_interactive_users-PR_7898.patch
Patch96: scap-security-guide-0.1.58-fix_rsyslog_streamdriver_remediation_typos-PR_7570.patch
Patch97: scap-security-guide-0.1.59-rsyslog_encrypt_offload_fix_7741-PR_7755.patch
Patch98: scap-security-guide-0.1.58-ansible_disable_ctrlaltdel_reboot-PR_7571.patch
Patch99: scap-security-guide-0.1.60-address_pool_directives_maxpoll_rule-PR_7910.patch
BuildRequires: libxslt
BuildRequires: expat
@ -177,6 +220,18 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
%endif
%changelog
* Thu Mar 24 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-9
- Add missing updates to RHEL8 STIG profile version V1R5 (RHBZ#2059876)
* Wed Mar 23 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-8
- Add missing updates to RHEL8 STIG profile version V1R5 (RHBZ#2059876)
* Mon Mar 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-7
- Add missing updates to RHEL8 STIG profile version V1R5 (RHBZ#2059876)
* Thu Feb 24 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-6
- Update RHEL8 STIG profile to V1R5 (RHBZ#2059876)
* Thu Sep 02 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
- Add USB HID rules to the ISM profile, so it is usable after the installation (RHBZ#1999423).