rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import scap-security-guide-0.1.57-5.el9

Browse Source
This commit is contained in:
CentOS Sources 2021-11-03 14:59:06 -04:00 committed by Stepan Oksanichenko
commit c69fd0bf07
17 changed files with 10808 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/scap-security-guide-0.1.57.tar.bz2

1
.scap-security-guide.metadata Normal file
View File

@ -0,0 +1 @@
d78bdc956df4301c3b3bbb2f9f24d809d7b1d08c SOURCES/scap-security-guide-0.1.57.tar.bz2

702
SOURCES/scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch Normal file
View File

@ -0,0 +1,702 @@
From 7901659fa169db8ac5ffd7c610a798c785a3556b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 9 Jul 2021 14:41:03 +0200
Subject: [PATCH 01/12] ensure that higher policy levels can override variables
of lower levels
---
ssg/controls.py | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 297d80e46c5..165cdf0511a 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -202,9 +202,16 @@ def get_all_controls_of_level(self, policy_id, level_id):
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
- for c in all_policy_controls:
- if len(level_ids.intersection(c.levels)) > 0:
- eligible_controls.append(c)
+ defined_variables = []
+ # we will go level by level, from top to bottom
+ # this is done to enable overriding of variables by higher levels
+ for lv in level_ids:
+ for c in all_policy_controls:
+ if lv in c.levels:
+ # if the control has a variable, check if it is not already defined
+ if c.variables.keys().isdisjoint(defined_variables):
+ eligible_controls.append(c)
+ defined_variables += [*c.variables.keys()]
return eligible_controls
def get_all_controls(self, policy_id):
From 66e612a9668009cc553fcf1abbf2c9477155c0c2 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 5 Aug 2021 14:02:25 +0200
Subject: [PATCH 02/12] use ordered sets emulated by ordereddict
because of compatibility with python2
---
ssg/controls.py | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 165cdf0511a..611a647e125 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -2,6 +2,7 @@
import logging
import os
from glob import glob
+from collections import OrderedDict
import ssg.build_yaml
import ssg.yaml
@@ -152,16 +153,18 @@ def get_level(self, level_id):
raise ValueError(msg)
def get_level_with_ancestors(self, level_id):
- levels = set()
+ # use OrderedDict for Python2 compatibility instead of ordered set
+ levels = OrderedDict()
level = self.get_level(level_id)
- levels.add(level)
+ levels[level] = ""
if level.inherits_from:
for lv in level.inherits_from:
- levels.update(self.get_level_with_ancestors(lv))
+ eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()]
+ for l in eligible_levels:
+ levels[l] = ""
return levels
-
class ControlsManager():
def __init__(self, controls_dir, env_yaml=None):
self.controls_dir = os.path.abspath(controls_dir)
@@ -198,20 +201,24 @@ def _get_policy(self, policy_id):
def get_all_controls_of_level(self, policy_id, level_id):
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
- level_ids = set([lv.id for lv in levels])
+ # we use OrderedDict here with empty values instead of ordered set
+ # cause we want to be compatible with python 2
+ level_ids = OrderedDict()
+ for lv in levels.keys():
+ level_ids[lv.id] = ""
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
defined_variables = []
# we will go level by level, from top to bottom
# this is done to enable overriding of variables by higher levels
- for lv in level_ids:
+ for lv in level_ids.keys():
for c in all_policy_controls:
if lv in c.levels:
# if the control has a variable, check if it is not already defined
if c.variables.keys().isdisjoint(defined_variables):
eligible_controls.append(c)
- defined_variables += [*c.variables.keys()]
+ defined_variables += list(c.variables.keys())
return eligible_controls
def get_all_controls(self, policy_id):
From 95a23a31293a0a63361ddf1831866cd5ae1ab61e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 5 Aug 2021 16:30:10 +0200
Subject: [PATCH 03/12] rework handling of variables when returning all
controls of a level
currently only the top most level variables are kept in the controls
if there is a control with lower level which has the same variable defined, it is deep copied and the variable definition is removed only from the resulting control
the original control stays in tact
---
ssg/controls.py | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 611a647e125..4ebb8bda3d7 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -1,8 +1,8 @@
import collections
import logging
import os
+import copy
from glob import glob
-from collections import OrderedDict
import ssg.build_yaml
import ssg.yaml
@@ -154,7 +154,7 @@ def get_level(self, level_id):
def get_level_with_ancestors(self, level_id):
# use OrderedDict for Python2 compatibility instead of ordered set
- levels = OrderedDict()
+ levels = collections.OrderedDict()
level = self.get_level(level_id)
levels[level] = ""
if level.inherits_from:
@@ -201,24 +201,39 @@ def _get_policy(self, policy_id):
def get_all_controls_of_level(self, policy_id, level_id):
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
+ print ("getting levels of " + level_id)
+ print ([ l.id for l in levels.keys()])
# we use OrderedDict here with empty values instead of ordered set
# cause we want to be compatible with python 2
- level_ids = OrderedDict()
+ level_ids = collections.OrderedDict()
for lv in levels.keys():
level_ids[lv.id] = ""
-
+ print (level_ids.keys())
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
defined_variables = []
# we will go level by level, from top to bottom
# this is done to enable overriding of variables by higher levels
for lv in level_ids.keys():
+ print ("going through level " +lv)
for c in all_policy_controls:
+ print (c.levels)
if lv in c.levels:
# if the control has a variable, check if it is not already defined
- if c.variables.keys().isdisjoint(defined_variables):
+ variables = list(c.variables.keys())
+ if len(variables) == 0:
eligible_controls.append(c)
- defined_variables += list(c.variables.keys())
+ for var in variables:
+ if var in defined_variables:
+ # if it is, create new instance of the control and remove the variable
+ # we are going from the top level to the bottom
+ # so we don't want to overwrite variables
+ new_c = copy.deepcopy(c)
+ del new_c.variables[var]
+ eligible_controls.append(new_c)
+ else:
+ defined_variables.append(var)
+ eligible_controls.append(c)
return eligible_controls
def get_all_controls(self, policy_id):
From a2dd7e9386c757a523b57646bdc5a9ffa99f68c5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 5 Aug 2021 16:31:25 +0200
Subject: [PATCH 04/12] add tests for defining of variables
---
tests/unit/ssg-module/data/controls_dir/abcd-levels.yml | 6 ++++++
tests/unit/ssg-module/test_controls.py | 5 +++++
2 files changed, 11 insertions(+)
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
index aded77c12a6..b98a7cd4e19 100644
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
@@ -19,10 +19,14 @@ controls:
- id: S2
levels:
- low
+ rules:
+ - var_password_pam_minlen=1
- id: S3
levels:
- medium
+ rules:
+ - var_password_pam_minlen=2
- id: S4
title: Configure authentication
@@ -36,3 +40,5 @@ controls:
title: Enforce password quality standards
levels:
- high
+ rules:
+ - var_password_pam_minlen=3
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
index ff9b04f26c9..06fcb0c375d 100644
--- a/tests/unit/ssg-module/test_controls.py
+++ b/tests/unit/ssg-module/test_controls.py
@@ -87,6 +87,11 @@ def test_controls_levels():
assert len(low_controls) == 4
assert len(medium_controls) == 5
+ # test overriding of variables in levels
+ assert c_2.variables["var_password_pam_minlen"] == "1"
+ assert c_3.variables["var_password_pam_minlen"] == "2"
+ assert c_4b.variables["var_password_pam_minlen"] == "3"
+
def test_controls_load_product():
ssg_root = \
From 82b90a9720dadab7d6060f0ccbcd902b1c097904 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 6 Aug 2021 09:30:47 +0200
Subject: [PATCH 05/12] make overriding of variables optional
---
ssg/controls.py | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 4ebb8bda3d7..90639fbe4c7 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -198,42 +198,42 @@ def _get_policy(self, policy_id):
raise ValueError(msg)
return policy
- def get_all_controls_of_level(self, policy_id, level_id):
+ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
+ # if override_vars is enabled, then variables from higher levels will
+ # override variables efined in controls of lower levels
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
- print ("getting levels of " + level_id)
- print ([ l.id for l in levels.keys()])
# we use OrderedDict here with empty values instead of ordered set
# cause we want to be compatible with python 2
level_ids = collections.OrderedDict()
for lv in levels.keys():
level_ids[lv.id] = ""
- print (level_ids.keys())
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
defined_variables = []
# we will go level by level, from top to bottom
# this is done to enable overriding of variables by higher levels
for lv in level_ids.keys():
- print ("going through level " +lv)
for c in all_policy_controls:
- print (c.levels)
if lv in c.levels:
- # if the control has a variable, check if it is not already defined
- variables = list(c.variables.keys())
- if len(variables) == 0:
+ if override_vars == False:
eligible_controls.append(c)
- for var in variables:
- if var in defined_variables:
- # if it is, create new instance of the control and remove the variable
- # we are going from the top level to the bottom
- # so we don't want to overwrite variables
- new_c = copy.deepcopy(c)
- del new_c.variables[var]
- eligible_controls.append(new_c)
- else:
- defined_variables.append(var)
+ else:
+ # if the control has a variable, check if it is not already defined
+ variables = list(c.variables.keys())
+ if len(variables) == 0:
eligible_controls.append(c)
+ for var in variables:
+ if var in defined_variables:
+ # if it is, create new instance of the control and remove the variable
+ # we are going from the top level to the bottom
+ # so we don't want to overwrite variables
+ new_c = copy.deepcopy(c)
+ del new_c.variables[var]
+ eligible_controls.append(new_c)
+ else:
+ defined_variables.append(var)
+ eligible_controls.append(c)
return eligible_controls
def get_all_controls(self, policy_id):
From 47df80d086e96deb4eab88d5f813bffb380006a8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 11 Aug 2021 12:38:42 +0200
Subject: [PATCH 06/12] fix a typo
---
ssg/controls.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 90639fbe4c7..10a304bf8c2 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -200,7 +200,7 @@ def _get_policy(self, policy_id):
def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
# if override_vars is enabled, then variables from higher levels will
- # override variables efined in controls of lower levels
+ # override variables defined in controls of lower levels
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
# we use OrderedDict here with empty values instead of ordered set
From 8e59037ed07aad33a55e8297ee5bce0f51c0dee6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 11 Aug 2021 17:02:11 +0200
Subject: [PATCH 07/12] update tests to check that overriding of variables
works
---
.../ssg-module/data/controls_dir/abcd-levels.yml | 4 +---
tests/unit/ssg-module/test_controls.py | 16 ++++++++++++++--
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
index b98a7cd4e19..99efafd832e 100644
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
@@ -25,8 +25,6 @@ controls:
- id: S3
levels:
- medium
- rules:
- - var_password_pam_minlen=2
- id: S4
title: Configure authentication
@@ -41,4 +39,4 @@ controls:
levels:
- high
rules:
- - var_password_pam_minlen=3
+ - var_password_pam_minlen=2
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
index 06fcb0c375d..124b344d141 100644
--- a/tests/unit/ssg-module/test_controls.py
+++ b/tests/unit/ssg-module/test_controls.py
@@ -89,8 +89,20 @@ def test_controls_levels():
# test overriding of variables in levels
assert c_2.variables["var_password_pam_minlen"] == "1"
- assert c_3.variables["var_password_pam_minlen"] == "2"
- assert c_4b.variables["var_password_pam_minlen"] == "3"
+ assert "var_password_pam_minlen" not in c_3.variables.keys()
+ assert c_4b.variables["var_password_pam_minlen"] == "2"
+
+ for c in low_controls:
+ if "var_password_pam_minlen" in c.variables.keys():
+ assert c.variables["var_password_pam_minlen"] == "1"
+
+ for c in medium_controls:
+ if "var_password_pam_minlen" in c.variables.keys():
+ assert c.variables["var_password_pam_minlen"] == "1"
+
+ for c in high_controls:
+ if "var_password_pam_minlen" in c.variables.keys():
+ assert c.variables["var_password_pam_minlen"] == "2"
def test_controls_load_product():
From dae4fc52a627eac6595bb73e3ffb1a0c50e78fdd Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 11 Aug 2021 17:02:32 +0200
Subject: [PATCH 08/12] make overriding of variables hardcoded when requesting
controls of a certain level
---
ssg/controls.py | 34 +++++++++++++++-------------------
1 file changed, 15 insertions(+), 19 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 10a304bf8c2..7923f0cb379 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -198,9 +198,7 @@ def _get_policy(self, policy_id):
raise ValueError(msg)
return policy
- def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
- # if override_vars is enabled, then variables from higher levels will
- # override variables defined in controls of lower levels
+ def get_all_controls_of_level(self, policy_id, level_id):
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
# we use OrderedDict here with empty values instead of ordered set
@@ -216,24 +214,22 @@ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
for lv in level_ids.keys():
for c in all_policy_controls:
if lv in c.levels:
- if override_vars == False:
+ # if the control has a variable, check if it is not already defined
+ variables = list(c.variables.keys())
+ if len(variables) == 0:
eligible_controls.append(c)
- else:
- # if the control has a variable, check if it is not already defined
- variables = list(c.variables.keys())
- if len(variables) == 0:
+ continue
+ for var in variables:
+ if var in defined_variables:
+ # if it is, create new instance of the control and remove the variable
+ # we are going from the top level to the bottom
+ # so we don't want to overwrite variables
+ new_c = copy.deepcopy(c)
+ del new_c.variables[var]
+ eligible_controls.append(new_c)
+ else:
+ defined_variables.append(var)
eligible_controls.append(c)
- for var in variables:
- if var in defined_variables:
- # if it is, create new instance of the control and remove the variable
- # we are going from the top level to the bottom
- # so we don't want to overwrite variables
- new_c = copy.deepcopy(c)
- del new_c.variables[var]
- eligible_controls.append(new_c)
- else:
- defined_variables.append(var)
- eligible_controls.append(c)
return eligible_controls
def get_all_controls(self, policy_id):
From c051e11c70b7e23ce3d4a8e0670da4fae72833c6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 12 Aug 2021 15:30:39 +0200
Subject: [PATCH 09/12] get rid of one ordereddict
---
ssg/controls.py | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 7923f0cb379..891b13c891c 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -201,19 +201,14 @@ def _get_policy(self, policy_id):
def get_all_controls_of_level(self, policy_id, level_id):
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
- # we use OrderedDict here with empty values instead of ordered set
- # cause we want to be compatible with python 2
- level_ids = collections.OrderedDict()
- for lv in levels.keys():
- level_ids[lv.id] = ""
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
defined_variables = []
# we will go level by level, from top to bottom
# this is done to enable overriding of variables by higher levels
- for lv in level_ids.keys():
+ for lv in levels.keys():
for c in all_policy_controls:
- if lv in c.levels:
+ if lv.id in c.levels:
# if the control has a variable, check if it is not already defined
variables = list(c.variables.keys())
if len(variables) == 0:
From 4dd5cb1326932cf020785a8c2472998eb2e7775e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 12 Aug 2021 16:44:57 +0200
Subject: [PATCH 10/12] fix overriding of variables
when there were multiple variables overridden, it caused problems by creating multiple copies of controls
---
ssg/controls.py | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 891b13c891c..8b69676313c 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -214,17 +214,19 @@ def get_all_controls_of_level(self, policy_id, level_id):
if len(variables) == 0:
eligible_controls.append(c)
continue
+ variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control
for var in variables:
if var in defined_variables:
- # if it is, create new instance of the control and remove the variable
- # we are going from the top level to the bottom
- # so we don't want to overwrite variables
- new_c = copy.deepcopy(c)
- del new_c.variables[var]
- eligible_controls.append(new_c)
+ variables_to_remove.append(var)
else:
defined_variables.append(var)
- eligible_controls.append(c)
+ if len(variables_to_remove) == 0:
+ eligible_controls.append(c)
+ else:
+ new_c = copy.deepcopy(c)
+ for var in variables_to_remove:
+ del new_c.variables[var]
+ eligible_controls.append(new_c)
return eligible_controls
def get_all_controls(self, policy_id):
From fbebba524cab090bc4c2f92b75257a7cc881ef5e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 12 Aug 2021 16:45:38 +0200
Subject: [PATCH 11/12] extended tests to test for multiple overridden
variables
---
.../data/controls_dir/abcd-levels.yml | 2 ++
tests/unit/ssg-module/test_controls.py | 19 +++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
index 99efafd832e..2e60ec43532 100644
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
@@ -21,6 +21,7 @@ controls:
- low
rules:
- var_password_pam_minlen=1
+ - var_some_variable=1
- id: S3
levels:
@@ -40,3 +41,4 @@ controls:
- high
rules:
- var_password_pam_minlen=2
+ - var_some_variable=3
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
index 124b344d141..1465661b04a 100644
--- a/tests/unit/ssg-module/test_controls.py
+++ b/tests/unit/ssg-module/test_controls.py
@@ -104,6 +104,25 @@ def test_controls_levels():
if "var_password_pam_minlen" in c.variables.keys():
assert c.variables["var_password_pam_minlen"] == "2"
+ # now test if controls of lower level has the variable definition correctly removed
+ # because it is overriden by higher level controls
+ s2_high = [c for c in high_controls if c.id == "S2"]
+ assert len(s2_high) == 1
+ assert "var_some_variable" not in s2_high[0].variables.keys()
+ assert "var_password_pam_minlen" not in s2_high[0].variables.keys()
+ s4b_high = [c for c in high_controls if c.id == "S4.b"]
+ assert len(s4b_high) == 1
+ assert s4b_high[0].variables["var_some_variable"] == "3"
+ assert s4b_high[0].variables["var_password_pam_minlen"] == "2"
+
+ # check that in low level the variable is correctly placed there in S2
+ s2_low = [c for c in low_controls if c.id == "S2"]
+ assert len(s2_low) == 1
+ assert s2_low[0].variables["var_some_variable"] == "1"
+ assert s2_low[0].variables["var_password_pam_minlen"] == "1"
+
+
+
def test_controls_load_product():
ssg_root = \
From 369de6b8374084d9d607979b712285912dbb65aa Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 16 Aug 2021 10:39:22 +0200
Subject: [PATCH 12/12] Style improvements
- Renamed get_level_with_ancestors to get_level_with_ancestors_sequence,
and made it return a list - a dictionary result is quite confusing.
- Removed some optimization in the variable deletion loops.
- Extracted functionality to a _get_control_without_variables static
method.
- Defined variable removal steps using set operations.
---
ssg/controls.py | 54 +++++++++++++++++++++++++------------------------
1 file changed, 28 insertions(+), 26 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 8b69676313c..ca3187d5b16 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -152,17 +152,17 @@ def get_level(self, level_id):
)
raise ValueError(msg)
- def get_level_with_ancestors(self, level_id):
+ def get_level_with_ancestors_sequence(self, level_id):
# use OrderedDict for Python2 compatibility instead of ordered set
levels = collections.OrderedDict()
level = self.get_level(level_id)
levels[level] = ""
if level.inherits_from:
for lv in level.inherits_from:
- eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()]
+ eligible_levels = [l for l in self.get_level_with_ancestors_sequence(lv) if l not in levels.keys()]
for l in eligible_levels:
levels[l] = ""
- return levels
+ return list(levels.keys())
class ControlsManager():
@@ -200,35 +200,37 @@ def _get_policy(self, policy_id):
def get_all_controls_of_level(self, policy_id, level_id):
policy = self._get_policy(policy_id)
- levels = policy.get_level_with_ancestors(level_id)
+ levels = policy.get_level_with_ancestors_sequence(level_id)
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
- defined_variables = []
+ already_defined_variables = set()
# we will go level by level, from top to bottom
# this is done to enable overriding of variables by higher levels
- for lv in levels.keys():
- for c in all_policy_controls:
- if lv.id in c.levels:
- # if the control has a variable, check if it is not already defined
- variables = list(c.variables.keys())
- if len(variables) == 0:
- eligible_controls.append(c)
- continue
- variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control
- for var in variables:
- if var in defined_variables:
- variables_to_remove.append(var)
- else:
- defined_variables.append(var)
- if len(variables_to_remove) == 0:
- eligible_controls.append(c)
- else:
- new_c = copy.deepcopy(c)
- for var in variables_to_remove:
- del new_c.variables[var]
- eligible_controls.append(new_c)
+ for lv in levels:
+ for control in all_policy_controls:
+ if lv.id not in control.levels:
+ continue
+
+ variables = set(control.variables.keys())
+
+ variables_to_remove = variables.intersection(already_defined_variables)
+ already_defined_variables.update(variables)
+
+ new_c = self._get_control_without_variables(variables_to_remove, control)
+ eligible_controls.append(new_c)
+
return eligible_controls
+ @staticmethod
+ def _get_control_without_variables(variables_to_remove, control):
+ if not variables_to_remove:
+ return control
+
+ new_c = copy.deepcopy(control)
+ for var in variables_to_remove:
+ del new_c.variables[var]
+ return new_c
+
def get_all_controls(self, policy_id):
policy = self._get_policy(policy_id)
return policy.controls_by_id.values()

5333
SOURCES/scap-security-guide-0.1.58-cis_def-PR_6976.patch Normal file
View File

File diff suppressed because it is too large Load Diff

31
SOURCES/scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch Normal file
View File

@ -0,0 +1,31 @@
From 8466dfa2e6f0f83e848f81f3fb57ee9d97c9e358 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 16 Aug 2021 15:26:00 +0200
Subject: [PATCH] Remove a spurious whitespace trim
The first line of the if- block ended up in the metadata comment.
---
.../disable_ctrlaltdel_reboot/bash/shared.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
index 4cbf5c8465..610da67668 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
@@ -1,8 +1,8 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
-{{%- if init_system == "systemd" -%}}
+{{% if init_system == "systemd" -%}}
systemctl disable --now ctrl-alt-del.target
systemctl mask --now ctrl-alt-del.target
-{{%- else -%}}
+{{%- else %}}
# If system does not contain control-alt-delete.override,
if [ ! -f /etc/init/control-alt-delete.override ]; then
# but does have control-alt-delete.conf file,
@@ -12,4 +12,4 @@ if [ ! -f /etc/init/control-alt-delete.override ]; then
fi
fi
sed -i 's,^exec.*$,exec /usr/bin/logger -p authpriv.notice -t init "Ctrl-Alt-Del was pressed and ignored",' /etc/init/control-alt-delete.override
-{{%- endif -%}}
+{{%- endif %}}

160
SOURCES/scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch Normal file
View File

@ -0,0 +1,160 @@
From ac416fb6b73135b6fdeae850740ca4e10ad9fa1e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 18 Aug 2021 15:16:59 +0200
Subject: [PATCH] Fix RHEL7 documentation links.
---
linux_os/guide/services/ldap/openldap_client/group.yml | 2 +-
linux_os/guide/services/ldap/openldap_server/group.yml | 2 +-
.../ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml | 2 +-
.../ntp/chronyd_or_ntpd_specify_remote_server/rule.yml | 2 +-
linux_os/guide/services/ntp/group.yml | 2 +-
.../services/ntp/service_chronyd_or_ntpd_enabled/rule.yml | 2 +-
linux_os/guide/services/sssd/group.yml | 2 +-
.../screen_locking/smart_card_login/smartcard_auth/rule.yml | 4 +---
linux_os/guide/system/auditing/group.yml | 2 +-
.../software/disk_partitioning/encrypt_partitions/rule.yml | 2 +-
.../guide/system/software/gnome/gnome_login_screen/group.yml | 2 +-
11 files changed, 11 insertions(+), 13 deletions(-)
diff --git a/linux_os/guide/services/ldap/openldap_client/group.yml b/linux_os/guide/services/ldap/openldap_client/group.yml
index bf17a053cd5..a64f105395f 100644
--- a/linux_os/guide/services/ldap/openldap_client/group.yml
+++ b/linux_os/guide/services/ldap/openldap_client/group.yml
@@ -13,7 +13,7 @@ description: |-
files, which is useful when trying to use SSL cleanly across several protocols.
Installation and configuration of OpenLDAP on {{{ full_name }}} is available at
{{% if product == "rhel7" %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}.
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}.
{{% elif product == "ol7" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s9-auth") }}}.
{{% endif %}}
diff --git a/linux_os/guide/services/ldap/openldap_server/group.yml b/linux_os/guide/services/ldap/openldap_server/group.yml
index c180820e9fc..d571867a7f8 100644
--- a/linux_os/guide/services/ldap/openldap_server/group.yml
+++ b/linux_os/guide/services/ldap/openldap_server/group.yml
@@ -7,5 +7,5 @@ description: |-
for an OpenLDAP server.
{{% if product == "rhel7" %}}
Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at:
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}.
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}.
{{% endif %}}
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
index 8f939356ab1..7dc188589ee 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
@@ -14,7 +14,7 @@ description: |-
{{% elif product == "ol8" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
{{% else %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
{{% endif %}}
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
index 503aecc0de2..27df8595efa 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
@@ -14,7 +14,7 @@ description: |-
{{% elif product == "ol8" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
{{% else %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
{{% endif %}}
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml
index 181b10dfd65..b944ee03116 100644
--- a/linux_os/guide/services/ntp/group.yml
+++ b/linux_os/guide/services/ntp/group.yml
@@ -54,7 +54,7 @@ description: |-
{{% elif product == "ol8" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
{{% elif product == "rhel7" %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
{{% elif "ubuntu" in product %}}
{{{ weblink(link="https://help.ubuntu.com/lts/serverguide/NTP.html") }}}
{{% elif "debian" in product %}}
diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
index 065cf301b95..00739816f5e 100644
--- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
@@ -17,7 +17,7 @@ description: |-
{{% elif product == "ol8" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
{{% else %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
{{% endif %}}
for guidance which NTP daemon to choose depending on the environment used.
diff --git a/linux_os/guide/services/sssd/group.yml b/linux_os/guide/services/sssd/group.yml
index 5b0caf7d64b..3f4eced7ca7 100644
--- a/linux_os/guide/services/sssd/group.yml
+++ b/linux_os/guide/services/sssd/group.yml
@@ -11,7 +11,7 @@ description: |-
<br /><br />
For more information, see
{{%- if product == "rhel7" -%}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/SSSD.html") }}}
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/sssd") }}}
{{%- elif product == "rhel8" -%}}
{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-client-basic-scenario_installing-identity-management#sssd-deployment-operations_install-client-basic") }}}
{{%- elif product == "ol7" -%}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml
index fc7f149bf40..62a343cf396 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml
@@ -8,9 +8,7 @@ description: |-
To enable smart card authentication, consult the documentation at:
<ul>
{{% if product == "rhel7" %}}
- <li><b>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}</b></li>
- {{% elif product == "rhel8" %}}
- <li><b>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}</b></li>
+ <li><b>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/smartcards.html#authconfig-smartcards") }}}</b></li>
{{% elif product == "ol7" %}}
<li><b>{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s4-auth") }}}</b></li>
{{% endif %}}
diff --git a/linux_os/guide/system/auditing/group.yml b/linux_os/guide/system/auditing/group.yml
index 82f87e81c47..5fce88db032 100644
--- a/linux_os/guide/system/auditing/group.yml
+++ b/linux_os/guide/system/auditing/group.yml
@@ -38,7 +38,7 @@ description: |-
Examining some example audit records demonstrates how the Linux audit system
satisfies common requirements.
The following example from Fedora Documentation available at
- <tt>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}}</tt>
+ <tt>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}}</tt>
shows the substantial amount of information captured in a
two typical "raw" audit messages, followed by a breakdown of the most important
fields. In this example the message is SELinux-related and reports an AVC
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index add0a41fa94..cd07fb4c0ca 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -38,7 +38,7 @@ description: |-
{{% elif product in ["sle12", "sle15"] %}}
{{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
{{% elif product == "rhel7" %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption") }}}.
{{% else %}}
{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}.
{{% endif %}}
diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml
index 8e8b32f1d79..299b96c0592 100644
--- a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml
+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml
@@ -14,5 +14,5 @@ description: |-
the man page <tt>dconf(1)</tt>.
{{% else %}}
For more information about enforcing preferences in the GNOME3 environment using the DConf
- configuration system, see <b>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/index.html") }}}/></b> and the man page <tt>dconf(1)</tt>.
+ configuration system, see <b>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide") }}}/></b> and the man page <tt>dconf(1)</tt>.
{{% endif %}}

28
SOURCES/scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch Normal file
View File

@ -0,0 +1,28 @@
From 041c151df78653f807249cb7cc6cfc3f46a7b168 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 3 Aug 2021 16:50:23 +0200
Subject: [PATCH] add details about gpgkey package for rhel9
---
products/rhel9/product.yml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index 78c65fd805..4ceb332adf 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -13,10 +13,10 @@ init_system: "systemd"
dconf_gdm_dir: "distro.d"
# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
-pkg_release: ""
-pkg_version: ""
-aux_pkg_release: ""
-aux_pkg_version: ""
+pkg_release: "4ae0493b"
+pkg_version: "fd431d51"
+aux_pkg_release: "5b32db75"
+aux_pkg_version: "d4082792"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"

55
SOURCES/scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch Normal file
View File

@ -0,0 +1,55 @@
From 460922d3b258ba5b437afc99b5b02d2690788db9 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@canonical.com>
Date: Tue, 27 Jul 2021 15:20:08 -0400
Subject: [PATCH] Remove FragmentPath check from service_disabled
In https://github.com/systemd/systemd/issues/582 it is documented that
systemd could eventually replace FragmentPath=/dev/null (on masked
services) with the actual service path -- not the fully (symlink)
resolved path as is currently the case.
This matches the behavior currently seen in Ubuntu (all versions) and
RHEL 9/Fedora 34.
Per discussion with Gabriel, Matej, Richard, and Matt, it is best to
remove this check, especially since ActiveState=Masked suffices.
Resolves: #7280
Resolves: #7248
Signed-off-by: Alexander Scheel <alex.scheel@canonical.com>
---
shared/templates/service_disabled/oval.template | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/shared/templates/service_disabled/oval.template b/shared/templates/service_disabled/oval.template
index 33b52518307..e4ccb0566e7 100644
--- a/shared/templates/service_disabled/oval.template
+++ b/shared/templates/service_disabled/oval.template
@@ -13,7 +13,6 @@
<criteria operator="AND" comment="service {{{ SERVICENAME }}} is not configured to start">
<criterion comment="{{{ SERVICENAME }}} is not running" test_ref="test_service_not_running_{{{ SERVICENAME }}}" />
<criterion comment="Property LoadState of service {{{ SERVICENAME }}} is masked" test_ref="test_service_loadstate_is_masked_{{{ SERVICENAME }}}" />
- <criterion comment="Property FragmentPath of service {{{ SERVICENAME }}} is set to /dev/null" test_ref="test_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" />
</criteria>
</criteria>
</definition>
@@ -41,18 +40,6 @@
<linux:value>masked</linux:value>
</linux:systemdunitproperty_state>
- <linux:systemdunitproperty_test id="test_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" check="all" check_existence="any_exist" comment="Test that the property FragmentPath from the service {{{ SERVICENAME }}} is set to /dev/null" version="1">
- <linux:object object_ref="obj_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}"/>
- <linux:state state_ref="state_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}"/>
- </linux:systemdunitproperty_test>
- <linux:systemdunitproperty_object id="obj_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" comment="Retrieve the FragmentPath property of {{{ SERVICENAME }}}" version="1">
- <linux:unit operation="pattern match">^{{{ SERVICENAME }}}\.(service|socket)$</linux:unit>
- <linux:property>FragmentPath</linux:property>
- </linux:systemdunitproperty_object>
- <linux:systemdunitproperty_state id="state_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" version="1" comment="FragmentPath is set to /dev/null">
- <linux:value>/dev/null</linux:value>
- </linux:systemdunitproperty_state>
-
{{% else %}}
{{% if init_system != "systemd" %}}

256
SOURCES/scap-security-guide-0.1.58-ism_ks-PR_7392.patch Normal file
View File

@ -0,0 +1,256 @@
From 86e1556555fde19d3b6bfa7e280c8d9faf6243d3 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 16 Aug 2021 13:08:10 +0200
Subject: [PATCH] Add ISM Official kickstarts
---
.../rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg | 116 ++++++++++++++++++
.../rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg | 116 ++++++++++++++++++
2 files changed, 232 insertions(+)
create mode 100644 products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
create mode 100644 products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
diff --git a/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
new file mode 100644
index 0000000000..d84d98b12d
--- /dev/null
+++ b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
@@ -0,0 +1,116 @@
+# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2021-08-16
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with Essential Eight profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_ism_o
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
new file mode 100644
index 0000000000..517919539a
--- /dev/null
+++ b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
@@ -0,0 +1,116 @@
+# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 9 Server
+# Version: 0.0.1
+# Date: 2021-08-16
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with Essential Eight profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon com_redhat_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_ism_o
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject

1834
SOURCES/scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch Normal file
View File

File diff suppressed because it is too large Load Diff

39
SOURCES/scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch Normal file
View File

@ -0,0 +1,39 @@
From bd790153e02c1d1725f59f5d88c65c77eb1421e9 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 24 Aug 2021 12:48:46 +0200
Subject: [PATCH] Add a new selector for var_system_crypto_policy and use it
RHEL8 CIS.
This new selector is used to select explicit DEFAULT value in RHEL8 CIS
L1 profiles. The "default" selector cannot be selected and it causes
errors if used.
---
controls/cis_rhel8.yml | 2 +-
.../software/integrity/crypto/var_system_crypto_policy.var | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 29d972427cf..c0d3f5f40de 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -553,7 +553,7 @@ controls:
automated: yes
rules:
- configure_crypto_policy
- - var_system_crypto_policy=default
+ - var_system_crypto_policy=default_policy
# This rule works in conjunction with the configure_crypto_policy above.
# If a system is remediated to CIS Level 1, just the rule above will apply
diff --git a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
index ce301154a39..8b89848d122 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
@@ -13,6 +13,7 @@ interactive: false
options:
default: DEFAULT
+ default_policy: DEFAULT
default_nosha1: "DEFAULT:NO-SHA1"
fips: FIPS
fips_ospp: "FIPS:OSPP"

186
SOURCES/scap-security-guide-0.1.58-s390x_arch-PR_7385.patch Normal file
View File

@ -0,0 +1,186 @@
From cc74d1a5735272c7fe50bff4bb0c2fe049c1f868 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 12 Aug 2021 15:05:35 +0200
Subject: [PATCH 1/3] Add cpe platform for s390x arch
---
.../guide/system/bootloader-zipl/group.yml | 2 +-
shared/applicability/arch.yml | 12 +++++++
shared/applicability/general.yml | 5 ---
...oc_sys_kernel_osrelease_arch_not_s390x.xml | 22 ++-----------
.../proc_sys_kernel_osrelease_arch_s390x.xml | 33 +++++++++++++++++++
5 files changed, 48 insertions(+), 26 deletions(-)
create mode 100644 shared/applicability/arch.yml
create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
index 64c6c8dffbe..4f8ce753726 100644
--- a/linux_os/guide/system/bootloader-zipl/group.yml
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
@@ -8,4 +8,4 @@ description: |-
options to it.
The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
-platform: zipl
+platform: s390x_arch
diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml
new file mode 100644
index 00000000000..48b2aa3ef30
--- /dev/null
+++ b/shared/applicability/arch.yml
@@ -0,0 +1,12 @@
+cpes:
+
+ - not_s390x_arch:
+ name: "cpe:/a:not_s390x_arch"
+ title: "System architecture is not S390X"
+ check_id: proc_sys_kernel_osrelease_arch_not_s390x
+
+ - s390x_arch:
+ name: "cpe:/a:s390x_arch"
+ title: "System architecture is S390X"
+ check_id: proc_sys_kernel_osrelease_arch_s390x
+
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index 7382b7dd302..6e3ecfd9bf9 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -24,11 +24,6 @@ cpes:
title: "Package net-snmp is installed"
check_id: installed_env_has_net-snmp_package
- - not_s390x_arch:
- name: "cpe:/a:not_s390x_arch"
- title: "System architecture is not S390X"
- check_id: proc_sys_kernel_osrelease_arch_not_s390x
-
- nss-pam-ldapd:
name: "cpe:/a:nss-pam-ldapd"
title: "Package nss-pam-ldapd is installed"
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
index 1fc625a1e75..d95ce249c49 100644
--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
@@ -9,26 +9,8 @@
<description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x</description>
</metadata>
<criteria>
- <criterion comment="Architecture is not s390x"
- test_ref="test_proc_sys_kernel_osrelease_arch_s390x" negate="true"/>
+ <extend_definition comment="Architecture is not s390x"
+ definition_ref="proc_sys_kernel_osrelease_arch_s390x" negate="true"/>
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="proc_sys_kernel is for s390x architecture"
- id="test_proc_sys_kernel_osrelease_arch_s390x"
- version="1">
- <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
- <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
- <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
- <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
- <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
- </ind:textfilecontent54_state>
-
</def-group>
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
new file mode 100644
index 00000000000..abc6f1b0b88
--- /dev/null
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
@@ -0,0 +1,33 @@
+<def-group>
+ <definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
+ version="1">
+ <metadata>
+ <title>Test for different architecture than s390x</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Architecture is s390x"
+ test_ref="test_proc_sys_kernel_osrelease_arch_s390x" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="proc_sys_kernel is for s390x architecture"
+ id="test_proc_sys_kernel_osrelease_arch_s390x"
+ version="1">
+ <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
+ <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
+ <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
+ <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
+ <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
From 527728eb84fc152bec4ef49b244999f763dc901f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 12 Aug 2021 16:16:11 +0200
Subject: [PATCH 2/3] Remove zipl CPE platform
The package names for zipl changed recently.
As zipl is an s390 exclusive, lets use the arch check instead of
package name check.
---
shared/applicability/bootloaders.yml | 5 -----
1 file changed, 5 deletions(-)
diff --git a/shared/applicability/bootloaders.yml b/shared/applicability/bootloaders.yml
index 57832118447..6856578621c 100644
--- a/shared/applicability/bootloaders.yml
+++ b/shared/applicability/bootloaders.yml
@@ -4,8 +4,3 @@ cpes:
name: "cpe:/a:grub2"
title: "Package grub2 is installed"
check_id: installed_env_has_grub2_package
-
- - zipl:
- name: "cpe:/a:zipl"
- title: "System uses zipl"
- check_id: installed_env_has_zipl_package
From 985090ffcf34c1d27c526760ef5009605060b3f1 Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 19:53:59 +0200
Subject: [PATCH 3/3] Fix typo in check title
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
Co-authored-by: Jan Černý <jcerny@redhat.com>
---
shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
index abc6f1b0b88..7f416de6475 100644
--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
@@ -2,7 +2,7 @@
<definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
version="1">
<metadata>
- <title>Test for different architecture than s390x</title>
+ <title>Test that the architecture is s390x</title>
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>

74
SOURCES/scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch Normal file
View File

@ -0,0 +1,74 @@
From ea37df6b736d22f32fd0d64457d731aa76b656c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 18 Aug 2021 16:17:15 +0200
Subject: [PATCH 1/2] Come up with a better basename
On Red Hat systems, there is 50-redhat.conf, so
60-complianceascode.conf seems to be a generally good fit.
---
shared/templates/sshd_lineinfile/bash.template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template
index eac758e310b..e15ab9521b8 100644
--- a/shared/templates/sshd_lineinfile/bash.template
+++ b/shared/templates/sshd_lineinfile/bash.template
@@ -11,8 +11,9 @@ mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/hardening
{{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}}
{{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}}
+{{%- set hardening_config_basename = "00-complianceascode-hardening.conf" %}}
{{{ set_config_file(
- path="/etc/ssh/sshd_config.d/hardening",
+ path="/etc/ssh/sshd_config.d/" ~ hardening_config_basename,
parameter=PARAMETER,
value=VALUE,
create=true,
From 9fc6f549d9494730c4d973330a24a5a2a209b1c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 18 Aug 2021 17:51:17 +0200
Subject: [PATCH 2/2] Fix the sshd directory config check
The check should consider only files matching .*\.conf
---
.../sshd_disable_pubkey_auth/tests/conflict.fail.sh | 4 ++--
.../tests/correct_value_directory.pass.sh | 2 +-
shared/macros-oval.jinja | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
index 177a99e0b82..6e064ffc739 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
@@ -11,5 +11,5 @@ else
echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
fi
-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config
-echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config.conf
+echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
index 0aa2e775dbe..acb650915fe 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
@@ -11,4 +11,4 @@ else
echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
fi
-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct.conf
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 87e0fd7d87d..f2fa7d79fc8 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -227,7 +227,7 @@
{{%- endmacro %}}
{{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}}
-{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}}
+{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*\.conf$", id_stem=rule_id ~ "_config_dir") -}}}
{{%- endmacro %}}
{{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}}

664
SOURCES/scap-security-guide-0.1.58-sshd_directory-PR_6926.patch Normal file
View File

@ -0,0 +1,664 @@
From b951a896d3ef1e678e5d6b580521053e7a076ab0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 29 Apr 2021 16:54:03 +0200
Subject: [PATCH 1/6] Updated checks and remediations of the sshd template.
Configuration of sshd moves from one config file to a config directory.
Therefore, checks should consider all those files, and the remediation should aim
to deliver fixes to one of those files in the config directory.
Tests that interact with this behavior have been added and are applicable for Fedora and RHEL9 products.
---
.../tests/commented.fail.sh | 7 ++
.../tests/conflict.fail.sh | 15 ++++
.../tests/correct_value_directory.pass.sh | 14 ++++
shared/macros-bash.jinja | 9 +++
shared/macros-oval.jinja | 61 +++++++++++------
.../templates/sshd_lineinfile/bash.template | 22 ++++++
.../templates/sshd_lineinfile/oval.template | 68 +++++++++++++++++--
7 files changed, 168 insertions(+), 28 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh
new file mode 100644
index 00000000000..484c2165532
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config; then
+ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config
+else
+ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
new file mode 100644
index 00000000000..177a99e0b82
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# platform = Fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+else
+ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
+fi
+
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config
+echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
new file mode 100644
index 00000000000..0aa2e775dbe
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# platform = Fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+else
+ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
+fi
+
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 1cd2c62b5e0..b4518d83c19 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -471,6 +471,15 @@ fi
LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}"
{{%- endmacro -%}}
+{{%- macro lineinfile_absent_in_directory(dirname, regex, insensitive=true) -%}}
+ {{%- if insensitive -%}}
+ {{%- set modifier="Id" -%}}
+ {{%- else -%}}
+ {{%- set modifier="d" -%}}
+ {{%- endif -%}}
+LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ dirname }}}"/*
+{{%- endmacro -%}}
+
{{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true) -%}}
{{%- if insensitive -%}}
{{%- set grep_args="-q -m 1 -i" -%}}
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index be2ac268206..d38db96d9e3 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -92,15 +92,18 @@
- parameter (String): The parameter to be checked in the configuration file.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
#}}
-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false) -%}}
+{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}}
{{%- set suffix_id = "" -%}}
{{%- set prefix_text = "Check the" -%}}
{{%- if missing_parameter_pass %}}
{{%- set suffix_id = suffix_id_default_not_overriden -%}}
{{%- set prefix_text = prefix_text + " absence of" -%}}
{{%- endif %}}
- <criterion comment="{{{ prefix_text }}} {{{ parameter }}} in {{{ path }}}"
- test_ref="test_{{{ rule_id }}}{{{ suffix_id }}}" />
+{{%- if not comment -%}}
+{{%- set comment = prefix_text ~ " " ~ parameter ~ " in " ~ path -%}}
+{{%- endif -%}}
+<criterion comment="{{{ comment }}}"
+ test_ref="test_{{{ id_stem }}}{{{ suffix_id }}}" />
{{%- endmacro %}}
{{#
@@ -110,7 +113,7 @@
- parameter (String): The parameter to be checked in the configuration file.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
#}}
-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false) -%}}
+{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}}
{{%- set suffix_id = "" -%}}
{{%- if missing_parameter_pass %}}
{{%- set check_existence = "none_exist" -%}}
@@ -120,14 +123,14 @@
{{%- set check_existence = "all_exist" -%}}
{{%- set prefix_text = "value" -%}}
{{%- endif %}}
- <ind:textfilecontent54_test check="all" check_existence="{{{ check_existence }}}"
+<ind:textfilecontent54_test check="all" check_existence="{{{ check_existence }}}"
comment="tests the {{{ prefix_text }}} of {{{ parameter }}} setting in the {{{ path }}} file"
- id="test_{{{ rule_id }}}{{{ suffix_id }}}" version="1">
- <ind:object object_ref="obj_{{{ rule_id }}}{{{ suffix_id }}}" />
+ id="test_{{{ id_stem }}}{{{ suffix_id }}}" version="1">
+ <ind:object object_ref="obj_{{{ id_stem }}}{{{ suffix_id }}}" />
{{%- if not missing_parameter_pass %}}
- <ind:state state_ref="state_{{{ rule_id }}}{{{ suffix_id }}}" />
+ <ind:state state_ref="state_{{{ id_stem }}}{{{ suffix_id }}}" />
{{%- endif %}}
- </ind:textfilecontent54_test>
+</ind:textfilecontent54_test>
{{%- endmacro %}}
{{#
@@ -141,7 +144,7 @@
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
#}}
-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='') -%}}
+{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}}
{{%- set suffix_id = "" -%}}
{{%- if multi_value -%}}
{{%- set group_regex = "([^#]*).*$" -%}}
@@ -173,16 +176,16 @@
{{%- set regex = prefix_regex+parameter+separator_regex+group_regex -%}}
{{%- endif %}}
{{%- endif %}}
- <ind:textfilecontent54_object id="obj_{{{ rule_id }}}{{{ suffix_id }}}" version="1">
+<ind:textfilecontent54_object id="obj_{{{ id_stem }}}{{{ suffix_id }}}" version="1">
{{%- if filepath_regex %}}
- <ind:path>{{{ path }}}</ind:path>
- <ind:filename operation="pattern match">{{{ filepath_regex }}}</ind:filename>
+ <ind:path>{{{ path }}}</ind:path>
+ <ind:filename operation="pattern match">{{{ filepath_regex }}}</ind:filename>
{{%- else %}}
- <ind:filepath>{{{ path }}}</ind:filepath>
+ <ind:filepath>{{{ path }}}</ind:filepath>
{{%- endif %}}
- <ind:pattern operation="pattern match">{{{ regex }}}</ind:pattern>
- <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+ <ind:pattern operation="pattern match">{{{ regex }}}</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+</ind:textfilecontent54_object>
{{%- endmacro %}}
{{#
@@ -193,7 +196,7 @@
- quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
#}}
-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}}
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}}
{{%- set regex = value -%}}
{{%- if quotes != "" %}}
{{%- if "\\1" in value > 0 %}}
@@ -206,9 +209,25 @@
{{%- else %}}
{{%- set regex = "^"+regex+"$" -%}}
{{%- endif %}}
- <ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">
- <ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
- </ind:textfilecontent54_state>
+<ind:textfilecontent54_state id="state_{{{ id_stem }}}" version="1">
+ <ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
+</ind:textfilecontent54_state>
+{{%- endmacro %}}
+
+{{%- macro oval_line_in_directory_criterion(path='', parameter='', missing_parameter_pass=false) -%}}
+{{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") -}}}
+{{%- endmacro %}}
+
+{{%- macro oval_line_in_directory_test(path='', parameter='', missing_parameter_pass=false) -%}}
+{{{ oval_line_in_file_test(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") }}}
+{{%- endmacro %}}
+
+{{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}}
+{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}}
+{{%- endmacro %}}
+
+{{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}}
+{{{- oval_line_in_file_state(value, multi_value, quotes, id_stem=rule_id ~ "_config_dir") -}}}
{{%- endmacro %}}
{{#
diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template
index ca1b512bb3d..eac758e310b 100644
--- a/shared/templates/sshd_lineinfile/bash.template
+++ b/shared/templates/sshd_lineinfile/bash.template
@@ -3,4 +3,26 @@
# strategy = restrict
# complexity = low
# disruption = low
+{{%- if product in ("fedora", "rhel9") %}}
+{{%- set prefix_regex = "^\s*" -%}}
+{{%- set separator_regex = "\s\+" -%}}
+{{%- set line_regex = prefix_regex ~ PARAMETER ~ separator_regex %}}
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/hardening
+{{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}}
+{{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}}
+{{{ set_config_file(
+ path="/etc/ssh/sshd_config.d/hardening",
+ parameter=PARAMETER,
+ value=VALUE,
+ create=true,
+ insert_after="",
+ insert_before="^Match",
+ insensitive=true,
+ separator=" ",
+ separator_regex=separator_regex,
+ prefix_regex=prefix_regex)
+ }}}
+{{%- else %}}
{{{ bash_sshd_config_set(parameter=PARAMETER, value=VALUE) }}}
+{{%- endif %}}
diff --git a/shared/templates/sshd_lineinfile/oval.template b/shared/templates/sshd_lineinfile/oval.template
index df63d542505..2cc38776eb2 100644
--- a/shared/templates/sshd_lineinfile/oval.template
+++ b/shared/templates/sshd_lineinfile/oval.template
@@ -1,7 +1,61 @@
-{{{
-oval_sshd_config(
- parameter=PARAMETER,
- value=VALUE,
- missing_parameter_pass=MISSING_PARAMETER_PASS
-)
-}}}
+{{%- set config_path = "/etc/ssh/sshd_config" %}}
+{{%- set config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set products_with_distributed_configuration = ("rhel9", "fedora") -%}}
+{{%- set description = "Ensure '" ~ PARAMETER ~ "' is configured with value '" ~ VALUE ~ "' in " ~ config_path %}}
+{{%- if product in products_with_distributed_configuration %}}
+{{%- set description = description ~ " and in " ~ config_dir -%}}
+{{%- endif %}}
+{{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}}
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata(description) }}}
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+ <criteria comment="sshd is not installed" operator="AND">
+ <extend_definition comment="sshd is not required or requirement is unset"
+ definition_ref="sshd_not_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server removed"
+ definition_ref="package_openssh-server_removed" />
+ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server installed"
+ definition_ref="package_openssh-server_installed" />
+ <criteria comment="sshd is configured correctly" operator="OR">
+ {{{- oval_line_in_file_criterion(config_path, PARAMETER) | indent(8) }}}
+ {{%- if MISSING_PARAMETER_PASS %}}
+ <criteria comment="sshd is not configured incorrectly" operator="AND">
+ {{{- oval_line_in_file_criterion(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(10)}}}
+ {{%- if product in products_with_distributed_configuration %}}
+ {{{- oval_line_in_directory_criterion(config_dir, PARAMETER, MISSING_PARAMETER_PASS) | indent(10) }}}
+ {{%- endif %}}
+ </criteria>
+ {{%- endif %}}
+ {{%- if product in products_with_distributed_configuration %}}
+ {{{- oval_line_in_directory_criterion(config_dir, PARAMETER) | indent(8) }}}
+ {{%- endif %}}
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+ {{{ oval_line_in_file_test(config_path, PARAMETER) | indent (2) }}}
+ {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, ** case_insensitivity_kwargs)| indent (2) }}}
+ {{{ oval_line_in_file_state(VALUE) | indent (2) }}}
+
+ {{%- if MISSING_PARAMETER_PASS %}}
+ {{{ oval_line_in_file_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}}
+ {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}}
+ {{%- endif %}}
+
+ {{%- if product in products_with_distributed_configuration %}}
+ {{{ oval_line_in_directory_test(config_dir, PARAMETER) | indent (2) }}}
+ {{{ oval_line_in_directory_object(config_dir, parameter=PARAMETER, ** case_insensitivity_kwargs) | indent (2) }}}
+ {{{ oval_line_in_directory_state(VALUE) | indent (2) }}}
+
+ {{%- if MISSING_PARAMETER_PASS %}}
+ {{{ oval_line_in_directory_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}}
+ {{{ oval_line_in_directory_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}}
+ {{%- endif %}}
+ {{%- endif %}}
+</def-group>
From b0f86c11fa0fb45b32b53833b5d3565c7eb73cfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 30 Apr 2021 11:52:22 +0200
Subject: [PATCH 2/6] Improved the lineinfile template.
It now escapes the text contents if parts of them could be incorrectly interpreted as regexes.
---
shared/macros-bash.jinja | 2 +-
shared/templates/lineinfile/oval.template | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index b4518d83c19..d654a0e0e89 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -445,7 +445,7 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2
# prefix_regex: regular expression describing allowed leading characters at each line
#}}
{{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") -%}}
- {{%- set line_regex = prefix_regex+parameter+separator_regex -%}}
+ {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}}
{{%- set new_line = parameter+separator+value -%}}
if [ -e "{{{ path }}}" ] ; then
{{{ lineinfile_absent(path, line_regex, insensitive) | indent(4) }}}
diff --git a/shared/templates/lineinfile/oval.template b/shared/templates/lineinfile/oval.template
index a38856d9177..644327b7d6e 100644
--- a/shared/templates/lineinfile/oval.template
+++ b/shared/templates/lineinfile/oval.template
@@ -1,4 +1,4 @@
-{{%- set regex = "^[\s]*" + TEXT + "[\s]*$" -%}}
+{{%- set regex = "^[\s]*" ~ (TEXT | escape_regex) ~ "[\s]*$" -%}}
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("Check presence of " + TEXT + " in " + PATH) }}}
From 6953f74d1ab168e7ccc3f28877621edff317fef2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 30 Apr 2021 11:54:12 +0200
Subject: [PATCH 3/6] Introduced the sshd_use_directory_configuration rule.
The rule makes sure that the sshd configuration is distributed in the
/etc/ssh/sshd_config.d/ directory, and therefore it makes sense to scan that directory
in another rules.
---
.../bash/shared.sh | 15 ++++++++++
.../oval/shared.xml | 29 +++++++++++++++++++
.../sshd_use_directory_configuration/rule.yml | 26 +++++++++++++++++
.../tests/match.fail.sh | 4 +++
.../tests/simple.fail.sh | 3 ++
.../tests/simple.pass.sh | 4 +++
shared/references/cce-redhat-avail.txt | 1 -
shared/templates/extra_ovals.yml | 6 ++++
8 files changed, 87 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
new file mode 100644
index 00000000000..2ff58ec373c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
@@ -0,0 +1,15 @@
+# platform = multi_platform_all
+
+{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}}
+if test -f {{{ target_file}}}; then
+ {{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}}
+else
+ mkdir -p /etc/ssh/sshd_config.d
+ mv /etc/ssh/sshd_config {{{ target_file }}}
+cat > /etc/ssh/sshd_config << EOF
+# To modify the system-wide sshd configuration, create a *.conf file under
+# /etc/ssh/sshd_config.d/ which will be automatically included below
+
+Include /etc/ssh/sshd_config.d/*.conf
+EOF
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
new file mode 100644
index 00000000000..0ffb429adff
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
@@ -0,0 +1,29 @@
+{{%- set config_path = "/etc/ssh/sshd_config" %}}
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("foo") }}}
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+ <criteria comment="sshd is not installed" operator="AND">
+ <extend_definition comment="sshd is not required or requirement is unset"
+ definition_ref="sshd_not_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server removed"
+ definition_ref="package_openssh-server_removed" />
+ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server installed"
+ definition_ref="package_openssh-server_installed" />
+ <criteria comment="sshd is configured correctly" operator="AND">
+ <extend_definition comment="sshd includes config files from its .d directory"
+ definition_ref="sshd_includes_config_files" />
+ {{{- oval_line_in_file_criterion(config_path, "match", missing_parameter_pass=true) | indent(8) }}}
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+ {{{ oval_line_in_file_test(config_path, "match", missing_parameter_pass=true) | indent (2) }}}
+ {{{ oval_line_in_file_object(config_path, parameter="match", missing_parameter_pass=true, prefix_regex="^[ \\t]*(?i)", separator_regex="(?-i)\s+\S+") | indent (2) }}}
+</def-group>
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
new file mode 100644
index 00000000000..8c370036e61
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+prodtype: fedora,rhel9
+
+title: 'Distribute the SSH Server configuration to multiple files in a config directory.'
+
+description: |-
+ Make sure to have the <tt>Include /etc/ssh/sshd_config.d/*.conf</tt> line in the <tt>/etc/ssh/sshd_config</tt> file.
+ Ideally, don't have any active configuration directives in that file, and distribute the service configuration
+ to several files in the <tt>/etc/ssh/sshd_config.d</tt> directory.
+
+rationale: |-
+ This form of distributed configuration is considered as a good practice, and as other sshd rules assume that directives in files in the <tt>/etc/ssh/sshd_config.d</tt> config directory are effective, there has to be a rule that ensures this.
+ Aside from that, having multiple configuration files makes the SSH Server configuration changes easier to partition according to the reason that they were introduced, and therefore it should help to perform merges of hardening updates.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-87681-3
+
+ocil_clause: "you don't include other configuration files from the main configuration file"
+
+ocil: |-
+ To determine whether the SSH server includes configuration files from the right directory, run the following command:
+ <pre>$ sudo grep -i '^Include' /etc/ssh/sshd_config</pre>
+ If a line <tt>Include /etc/ssh/sshd_config.d/*.conf</tt> is returned, then the configuration file inclusion is set correctly.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh
new file mode 100644
index 00000000000..fa2ee0654f2
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+echo "Match something" >> /etc/ssh/sshd_config
+echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh
new file mode 100644
index 00000000000..a6013ad7cfa
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+echo "include /etc/ssh/sshd_config.d/.*" > /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh
new file mode 100644
index 00000000000..7a26f521415
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+# Handling of case-insensitivity of include is tricky
+echo "Include /etc/ssh/sshd_config.d/*.conf" > /etc/ssh/sshd_config
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 73d025484e6..40a2b9b5868 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1780,7 +1780,6 @@ CCE-87677-1
CCE-87678-9
CCE-87679-7
CCE-87680-5
-CCE-87681-3
CCE-87682-1
CCE-87683-9
CCE-87684-7
diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml
index 095d911ee1c..69062ebe541 100644
--- a/shared/templates/extra_ovals.yml
+++ b/shared/templates/extra_ovals.yml
@@ -57,3 +57,9 @@ service_syslog_disabled:
vars:
servicename: syslog
packagename: rsyslog
+
+sshd_includes_config_files:
+ name: lineinfile
+ vars:
+ path: /etc/ssh/sshd_config
+ text: "Include /etc/ssh/sshd_config.d/*.conf"
From d7fcab7ad66e77bb7ccba507e3f024bc892c3864 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 11 May 2021 16:06:29 +0200
Subject: [PATCH 4/6] Improved error reporting related to macros.
---
ssg/jinja.py | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/ssg/jinja.py b/ssg/jinja.py
index a46246ad0fb..28edd9a6dcd 100644
--- a/ssg/jinja.py
+++ b/ssg/jinja.py
@@ -153,16 +153,20 @@ def load_macros(substitutions_dict=None):
add_python_functions(substitutions_dict)
try:
- update_substitutions_dict(JINJA_MACROS_BASE_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_HIGHLEVEL_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_ANSIBLE_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_BASH_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_OVAL_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_IGNITION_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_KUBERNETES_DEFINITIONS, substitutions_dict)
+ filenames = [
+ JINJA_MACROS_BASE_DEFINITIONS,
+ JINJA_MACROS_HIGHLEVEL_DEFINITIONS,
+ JINJA_MACROS_ANSIBLE_DEFINITIONS,
+ JINJA_MACROS_BASH_DEFINITIONS,
+ JINJA_MACROS_OVAL_DEFINITIONS,
+ JINJA_MACROS_IGNITION_DEFINITIONS,
+ JINJA_MACROS_KUBERNETES_DEFINITIONS,
+ ]
+ for filename in filenames:
+ update_substitutions_dict(filename, substitutions_dict)
except Exception as exc:
- msg = ("Error extracting macro definitions: {0}"
- .format(str(exc)))
+ msg = ("Error extracting macro definitions from '{1}': {0}"
+ .format(str(exc), filename))
raise RuntimeError(msg)
return substitutions_dict
From df45c3fa295a2dc5a23cc347657964df6453cbae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 11 May 2021 16:44:50 +0200
Subject: [PATCH 5/6] Removed devault values that are variables from Jinja
Support in older jinja2 packages is not in a good shape.
---
shared/macros-oval.jinja | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index d38db96d9e3..87e0fd7d87d 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -92,7 +92,8 @@
- parameter (String): The parameter to be checked in the configuration file.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
#}}
-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}}
+{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem='') -%}}
+{{%- set id_stem = id_stem or rule_id -%}}
{{%- set suffix_id = "" -%}}
{{%- set prefix_text = "Check the" -%}}
{{%- if missing_parameter_pass %}}
@@ -113,7 +114,8 @@
- parameter (String): The parameter to be checked in the configuration file.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
#}}
-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}}
+{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem='') -%}}
+{{%- set id_stem = id_stem or rule_id -%}}
{{%- set suffix_id = "" -%}}
{{%- if missing_parameter_pass %}}
{{%- set check_existence = "none_exist" -%}}
@@ -144,7 +146,8 @@
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
#}}
-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}}
+{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem='') -%}}
+{{%- set id_stem = id_stem or rule_id -%}}
{{%- set suffix_id = "" -%}}
{{%- if multi_value -%}}
{{%- set group_regex = "([^#]*).*$" -%}}
@@ -196,7 +199,8 @@
- quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
#}}
-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}}
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem='') -%}}
+{{%- set id_stem = id_stem or rule_id -%}}
{{%- set regex = value -%}}
{{%- if quotes != "" %}}
{{%- if "\\1" in value > 0 %}}
From a3ec49f75ac3059d7096985e08e10005db96330a Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 30 Jul 2021 17:25:25 +0200
Subject: [PATCH 6/6] Don't remediate when it is inappropriate
Don't remediate when the config file already contains the include
directive.
---
.../sshd_use_directory_configuration/bash/shared.sh | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
index 2ff58ec373c..9317b23992d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
@@ -1,12 +1,15 @@
# platform = multi_platform_all
{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}}
+{{% set base_config = "/etc/ssh/sshd_config" -%}}
if test -f {{{ target_file}}}; then
{{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}}
+elif grep -Eq '^\s*Include\s+/etc/ssh/sshd_config\.d/\*\.conf' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then
+ {{{ die("Remediation probably already happened, '" ~ base_config ~ "' already contains the include directive.", action="false") }}}
else
mkdir -p /etc/ssh/sshd_config.d
- mv /etc/ssh/sshd_config {{{ target_file }}}
-cat > /etc/ssh/sshd_config << EOF
+ mv {{{ base_config }}} {{{ target_file }}}
+cat > {{{ base_config }}} << EOF
# To modify the system-wide sshd configuration, create a *.conf file under
# /etc/ssh/sshd_config.d/ which will be automatically included below

942
SOURCES/scap-security-guide-0.1.58-various_fixes-PR_7335.patch Normal file
View File

@ -0,0 +1,942 @@
From 089c47d6301bb53bb182cbdacf72968979547994 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 30 Jul 2021 16:57:13 +0200
Subject: [PATCH 1/5] Enable more RHEL9 content
---
.../ssh/ssh_client/ssh_client_rekey_limit/rule.yml | 3 ++-
.../disable_ctrlaltdel_burstaction/bash/shared.sh | 2 +-
.../disable_ctrlaltdel_reboot/bash/shared.sh | 4 ----
.../smart_card_login/package_pcsc-lite_installed/rule.yml | 3 ++-
.../smart_card_login/service_pcscd_enabled/rule.yml | 3 ++-
.../root_logins/use_pam_wheel_for_su/rule.yml | 3 ++-
.../user_umask/accounts_umask_etc_csh_cshrc/rule.yml | 3 ++-
.../installed_OS_is_FIPS_certified/oval/shared.xml | 1 +
.../rule.yml | 3 ++-
products/rhel9/profiles/hipaa.profile | 6 +++---
products/rhel9/profiles/ospp.profile | 8 ++++----
products/rhel9/profiles/pci-dss.profile | 4 ++--
shared/references/cce-redhat-avail.txt | 6 ------
13 files changed, 23 insertions(+), 26 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
index f43f92c2f15..c0fbe2c5e34 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhel8,rhel9,rhcos4
title: 'Configure session renegotiation for SSH client'
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82880-6
+ cce@rhel9: CCE-87522-9
references:
disa: CCI-000068
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
index 7d4faedfb47..d8063726fb4 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
index 94767ad5993..4cbf5c84651 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
@@ -1,9 +1,5 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
{{%- if init_system == "systemd" -%}}
-{{% if product in ["rhel7", "rhel8"] %}}
-# The process to disable ctrl+alt+del has changed in RHEL7.
-# Reference: https://access.redhat.com/solutions/1123873
-{{% endif %}}
systemctl disable --now ctrl-alt-del.target
systemctl mask --now ctrl-alt-del.target
{{%- else -%}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
index 0652fbeadaf..9c6534cf401 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Install the pcsc-lite package'
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82347-6
cce@rhel8: CCE-80993-9
+ cce@rhel9: CCE-86280-5
references:
disa: CCI-001954
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
index e14db48c22a..6472ade5791 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Enable the pcscd Service'
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80569-7
cce@rhel8: CCE-80881-6
+ cce@rhel9: CCE-87907-2
references:
disa: CCI-001954
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
index a6862c2af25..984a8cf333e 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,ubuntu2004
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
title: 'Enforce usage of pam_wheel for su authentication'
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-85855-5
cce@rhel8: CCE-83318-6
+ cce@rhel9: CCE-90085-2
references:
cis@rhel7: "5.7"
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
index 1b71c7d3acd..3779b396b4e 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,sle15,ubuntu2004
+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15,ubuntu2004
title: 'Ensure the Default C Shell Umask is Set Correctly'
@@ -20,6 +20,7 @@ identifiers:
cce@rhcos4: CCE-84261-7
cce@rhel7: CCE-80203-3
cce@rhel8: CCE-81037-4
+ cce@rhel9: CCE-87721-7
references:
cis-csc: '18'
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
index a65bec7348c..3a4847ff9d8 100644
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
@@ -6,6 +6,7 @@
<criteria comment="Installed operating system is a certified operating system" operator="OR">
<extend_definition comment="Installed OS is RHEL7" definition_ref="installed_OS_is_rhel7" />
<extend_definition comment="Installed OS is RHEL8" definition_ref="installed_OS_is_rhel8" />
+ <!--extend_definition comment="Installed OS is RHEL9" definition_ref="installed_OS_is_rhel9" /-->
<extend_definition comment="Installed OS is RHCOS4" definition_ref="installed_OS_is_rhcos4" />
<extend_definition comment="Installed OS is OL7" definition_ref="installed_OS_is_ol7_family" />
<extend_definition comment="Installed OS is SLE12" definition_ref="installed_OS_is_sle12" />
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 8b6577226fb..4f49b3b825d 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8
+prodtype: rhel8,rhel9
title: 'Install dnf-plugin-subscription-manager Package'
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82315-3
+ cce@rhel9: CCE-89879-1
references:
ism: 0940,1144,1467,1472,1483,1493,1494,1495
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
index 1e0ea047b98..797c62708e2 100644
--- a/products/rhel9/profiles/hipaa.profile
+++ b/products/rhel9/profiles/hipaa.profile
@@ -33,9 +33,9 @@ selections:
- require_singleuser_auth
- restrict_serial_port_logins
- securetty_root_login_console_only
- - service_debug-shell_disabled # not supported in RHEL9 ATM
- - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
- - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM
+ - service_debug-shell_disabled
+ - disable_ctrlaltdel_reboot
+ - disable_ctrlaltdel_burstaction
- dconf_db_up_to_date
- dconf_gnome_remote_access_credential_prompt
- dconf_gnome_remote_access_encryption
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 0ae391c60bf..adec0cbd774 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -107,7 +107,7 @@ selections:
- var_accounts_user_umask=027
- accounts_umask_etc_profile
- accounts_umask_etc_bashrc
-# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM
+ - accounts_umask_etc_csh_cshrc
### Software update
- ensure_redhat_gpgkey_installed
@@ -177,7 +177,7 @@ selections:
- package_aide_installed
- package_dnf-automatic_installed
- package_subscription-manager_installed
-# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM
+ - package_dnf-plugin-subscription-manager_installed
- package_firewalld_installed
- package_openscap-scanner_installed
- package_policycoreutils_installed
@@ -221,7 +221,7 @@ selections:
- securetty_root_login_console_only
- var_password_pam_unix_remember=5
- accounts_password_pam_unix_remember
-# - use_pam_wheel_for_su # not supported in RHEL9 ATM
+ - use_pam_wheel_for_su
### SELinux Configuration
- var_selinux_state=enforcing
@@ -422,7 +422,7 @@ selections:
- kerberos_disable_no_keytab
# set ssh client rekey limit
-# - ssh_client_rekey_limit # not supported in RHEL9 ATM
+ - ssh_client_rekey_limit
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
index af347501989..1fe85d39ae0 100644
--- a/products/rhel9/profiles/pci-dss.profile
+++ b/products/rhel9/profiles/pci-dss.profile
@@ -121,8 +121,8 @@ selections:
- var_smartcard_drivers=cac
- configure_opensc_card_drivers
- force_opensc_card_drivers
-# - package_pcsc-lite_installed # not supported in RHEL9 ATM
-# - service_pcscd_enabled # not supported in RHEL9 ATM
+ - package_pcsc-lite_installed
+ - service_pcscd_enabled
- sssd_enable_smartcards
- set_password_hashing_algorithm_systemauth
- set_password_hashing_algorithm_logindefs
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index aa0b30da834..e78838a45aa 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -396,7 +396,6 @@ CCE-86276-3
CCE-86277-1
CCE-86278-9
CCE-86279-7
-CCE-86280-5
CCE-86281-3
CCE-86282-1
CCE-86283-9
@@ -1618,7 +1617,6 @@ CCE-87518-7
CCE-87519-5
CCE-87520-3
CCE-87521-1
-CCE-87522-9
CCE-87523-7
CCE-87525-2
CCE-87526-0
@@ -1812,7 +1810,6 @@ CCE-87717-5
CCE-87718-3
CCE-87719-1
CCE-87720-9
-CCE-87721-7
CCE-87722-5
CCE-87723-3
CCE-87724-1
@@ -1994,7 +1991,6 @@ CCE-87903-1
CCE-87904-9
CCE-87905-6
CCE-87906-4
-CCE-87907-2
CCE-87908-0
CCE-87909-8
CCE-87910-6
@@ -3932,7 +3928,6 @@ CCE-89874-2
CCE-89875-9
CCE-89877-5
CCE-89878-3
-CCE-89879-1
CCE-89880-9
CCE-89881-7
CCE-89882-5
@@ -4135,7 +4130,6 @@ CCE-90081-1
CCE-90082-9
CCE-90083-7
CCE-90084-5
-CCE-90085-2
CCE-90086-0
CCE-90087-8
CCE-90088-6
From 190cad8bc4ef957583b9e29c1508a1be43660388 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 4 Aug 2021 16:30:45 +0200
Subject: [PATCH 2/5] Fix remediation platforms of RHEL9 rules
---
.../configure_bashrc_exec_tmux/bash/shared.sh | 2 +-
.../configure_tmux_lock_after_time/bash/shared.sh | 2 +-
.../configure_tmux_lock_command/bash/shared.sh | 2 +-
.../console_screen_locking/no_tmux_in_shells/bash/shared.sh | 2 +-
.../software/integrity/fips/enable_fips_mode/bash/shared.sh | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
index 0c544bfbb82..737d725872d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
cat >> /etc/bashrc <<'EOF'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
index 233047afcbc..947e1dd7ee5 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
tmux_conf="/etc/tmux.conf"
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
index f2430618ab3..0c11c1224e2 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora
+# platform = multi_platform_all
tmux_conf="/etc/tmux.conf"
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
index 45c43e8d374..60e0a7e34c8 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
if grep -q 'tmux$' /etc/shells ; then
sed -i '/tmux$/d' /etc/shells
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
index 87476a7b315..c98847ded72 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
@@ -1,3 +1,3 @@
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
+# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
fips-mode-setup --enable
From 5b23f796b261325ad27b3c1684d3c9430a42679f Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 4 Aug 2021 17:56:57 +0200
Subject: [PATCH 3/5] Update the grub config path
RHEL9 and Fedora EFI/legacy grub paths have been unified:
https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
The location of Ubuntu EFI grub paths has been estimated from
https://askubuntu.com/questions/1028742/update-grub-does-not-update-boot-efi-efi-ubuntu-grub-cfg
Location of SLE EFI grub paths has been taken from existing rules
---
.../grub2_uefi_admin_username/oval/shared.xml | 16 ++++---------
.../uefi/grub2_uefi_admin_username/rule.yml | 2 +-
.../uefi/grub2_uefi_password/oval/shared.xml | 24 +++++++------------
.../uefi/grub2_uefi_password/rule.yml | 10 ++++----
.../uefi_no_removeable_media/oval/shared.xml | 16 ++++---------
products/fedora/product.yml | 2 ++
products/rhel7/product.yml | 2 ++
products/rhel8/product.yml | 2 ++
products/rhel9/product.yml | 2 ++
products/sle12/product.yml | 2 ++
products/sle15/product.yml | 1 +
products/ubuntu1604/product.yml | 1 +
products/ubuntu1804/product.yml | 1 +
products/ubuntu2004/product.yml | 1 +
ssg/constants.py | 1 +
ssg/products.py | 4 ++++
tests/shared/grub2.sh | 10 +++++---
17 files changed, 50 insertions(+), 47 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
index 8545e8ab2c7..7950c15a848 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
@@ -1,26 +1,20 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="grub2_uefi_admin_username" version="1">
{{{ oval_metadata("The grub2 boot loader superuser should have a username that is hard to guess.") }}}
<criteria operator="OR">
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
- <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
+ <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
</criteria>
</definition>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
<ind:object object_ref="object_bootloader_uefi_unique_superuser" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_bootloader_uefi_unique_superuser" version="1">
- <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 8a98cbdc95f..128d7cc1cb8 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -20,7 +20,7 @@ description: |-
Once the superuser account has been added,
update the
<tt>grub.cfg</tt> file by running:
- <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre>
+ <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
index 230aab73139..a67c8ad99bb 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
@@ -1,32 +1,26 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="grub2_uefi_password" version="1">
{{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}}
<criteria operator="OR">
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
<criteria operator="AND">
<criteria comment="check both files to account for procedure change in documenation" operator="OR">
- <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
- <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
+ <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
+ <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
</criteria>
- <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
+ <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
</criteria>
</criteria>
</definition>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
<ind:object object_ref="object_bootloader_uefi_superuser" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_bootloader_uefi_superuser" version="2">
- <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -35,7 +29,7 @@
<ind:object object_ref="object_grub2_uefi_password_usercfg" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_grub2_uefi_password_usercfg" version="1">
- <ind:filepath>{{{ grub_cfg_prefix }}}/user.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/user.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -44,7 +38,7 @@
<ind:object object_ref="object_grub2_uefi_password_grubcfg" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_grub2_uefi_password_grubcfg" version="1">
- <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index cb0d60c3ddf..cc68441e5ad 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -31,10 +31,8 @@ description: |-
<tt>grub.cfg</tt> file by running:
{{% if "ubuntu" in product %}}
<pre>update-grub</pre>
- {{% elif product in ["sle12", "sle15"] %}}
- <pre>grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg</pre>
{{% else %}}
- <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre>
+ <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
{{% endif %}}
rationale: |-
@@ -91,18 +89,18 @@ ocil: |-
To verify the boot loader superuser account password has been set,
and the password encrypted, run the following command:
{{% if product in ["sle12", "sle15"] %}}
- <pre>sudo cat /boot/efi/EFI/sles/grub.cfg</pre>
+ <pre>sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should be similar to:
<pre>password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
{{% elif "ubuntu" in product %}}
- <pre>grep -i password /boot/grub/grub.cfg</pre>
+ <pre>grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should contain something similar to:
<pre>password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG</pre>
{{% else %}}
- <pre>sudo cat /boot/efi/EFI/redhat/user.cfg</pre>
+ <pre>sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg</pre>
The output should be similar to:
<pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
index 72872d907e3..89a9fae86ec 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
@@ -1,27 +1,21 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="uefi_no_removeable_media" version="1">
{{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
<criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
- <criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
+ <criterion comment="Check the set root in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="tests the value of set root setting in the {{{ grub_cfg_prefix + "/grub.cfg" }}} file"
+ comment="tests the value of set root setting in the {{{ grub2_uefi_boot_path + "/grub.cfg" }}} file"
id="test_uefi_no_removeable_media" version="1">
<ind:object object_ref="obj_uefi_no_removeable_media" />
<ind:state state_ref="state_uefi_no_removeable_media" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_uefi_no_removeable_media" version="1">
- <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
<ind:pattern operation="pattern match">^[ \t]*set root=(.+?)[ \t]*(?:$|#)</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -30,5 +24,5 @@
<ind:subexpression datatype="string" operation="pattern match">^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$</ind:subexpression>
</ind:textfilecontent54_state>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
</def-group>
diff --git a/products/fedora/product.yml b/products/fedora/product.yml
index 0cb53c5331e..ea8e98eea78 100644
--- a/products/fedora/product.yml
+++ b/products/fedora/product.yml
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
init_system: "systemd"
+grub2_boot_path: "/boot/grub2"
+
dconf_gdm_dir: "distro.d"
cpes_root: "../../shared/applicability"
diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
index fb5d17786da..6438797f218 100644
--- a/products/rhel7/product.yml
+++ b/products/rhel7/product.yml
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
+
cpes_root: "../../shared/applicability"
cpes:
- rhel7:
diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
index 78c987b2457..f6d2102558d 100644
--- a/products/rhel8/product.yml
+++ b/products/rhel8/product.yml
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
+
cpes_root: "../../shared/applicability"
cpes:
- rhel8:
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index 4ceb332adf3..6b5a15d5cee 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
init_system: "systemd"
+grub2_boot_path: "/boot/grub2"
+
dconf_gdm_dir: "distro.d"
# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
diff --git a/products/sle12/product.yml b/products/sle12/product.yml
index d1301a17f91..b9e44e0725c 100644
--- a/products/sle12/product.yml
+++ b/products/sle12/product.yml
@@ -12,6 +12,8 @@ pkg_manager: "zypper"
pkg_manager_config_file: "/etc/zypp/zypp.conf"
oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/sles"
+
cpes_root: "../../shared/applicability"
cpes:
- sle12-server:
diff --git a/products/ubuntu1604/product.yml b/products/ubuntu1604/product.yml
index 827a875d493..36ec98397f6 100644
--- a/products/ubuntu1604/product.yml
+++ b/products/ubuntu1604/product.yml
@@ -12,6 +12,7 @@ init_system: "systemd"
oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/products/ubuntu1804/product.yml b/products/ubuntu1804/product.yml
index 68922441a2a..f1671b8d7dd 100644
--- a/products/ubuntu1804/product.yml
+++ b/products/ubuntu1804/product.yml
@@ -11,6 +11,7 @@ pkg_manager: "apt_get"
init_system: "systemd"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
index 15565b6748f..d75624d70a3 100644
--- a/products/ubuntu2004/product.yml
+++ b/products/ubuntu2004/product.yml
@@ -12,6 +12,7 @@ init_system: "systemd"
oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/ssg/constants.py b/ssg/constants.py
index 666d7a4d3c8..f9c978a22a2 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -383,4 +383,5 @@
# Application constants
DEFAULT_UID_MIN = 1000
DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2'
+DEFAULT_GRUB2_UEFI_BOOT_PATH = '/boot/grub2'
DEFAULT_DCONF_GDM_DIR = 'gdm.d'
diff --git a/ssg/products.py b/ssg/products.py
index 25178b741b2..fb55f5c2f4b 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -9,6 +9,7 @@
from .constants import (product_directories,
DEFAULT_UID_MIN,
DEFAULT_GRUB2_BOOT_PATH,
+ DEFAULT_GRUB2_UEFI_BOOT_PATH,
DEFAULT_DCONF_GDM_DIR,
PKG_MANAGER_TO_SYSTEM,
PKG_MANAGER_TO_CONFIG_FILE,
@@ -48,6 +49,9 @@ def _get_implied_properties(existing_properties):
if "grub2_boot_path" not in existing_properties:
result["grub2_boot_path"] = DEFAULT_GRUB2_BOOT_PATH
+ if "grub2_uefi_boot_path" not in existing_properties:
+ result["grub2_uefi_boot_path"] = DEFAULT_GRUB2_UEFI_BOOT_PATH
+
if "dconf_gdm_dir" not in existing_properties:
result["dconf_gdm_dir"] = DEFAULT_DCONF_GDM_DIR
diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
index bce7683a7c1..f024b3766cf 100644
--- a/tests/shared/grub2.sh
+++ b/tests/shared/grub2.sh
@@ -2,9 +2,13 @@ test -n "$GRUB_CFG_ROOT" || GRUB_CFG_ROOT=/boot/grub2
function set_grub_uefi_root {
if grep NAME /etc/os-release | grep -iq fedora; then
- GRUB_CFG_ROOT=/boot/efi/EFI/fedora
- else
- GRUB_CFG_ROOT=/boot/efi/EFI/redhat
+ GRUB_CFG_ROOT=/boot/grub2
+ elif grep NAME /etc/os-release | grep -iq "Red Hat"; then
+ if grep VERSION /etc/os-release | grep -q '9\.0'; then
+ GRUB_CFG_ROOT=/boot/grub2
+ else
+ GRUB_CFG_ROOT=/boot/efi/EFI/redhat
+ fi
fi
}
From a838226fc6b082ab73990613294328db49463c2b Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 5 Aug 2021 17:59:39 +0200
Subject: [PATCH 4/5] Add the sshd directory configuration rule
Remediations of other sshd rules assumes that sshd is configured using
multiple files as opposed to one huge file, and this rule
makes sure that the assumption is guarded.
---
controls/anssi.yml | 3 +++
products/rhel9/profiles/cis.profile | 2 ++
products/rhel9/profiles/cjis.profile | 1 +
products/rhel9/profiles/e8.profile | 1 +
products/rhel9/profiles/hipaa.profile | 1 +
products/rhel9/profiles/ism_o.profile | 1 +
products/rhel9/profiles/ospp.profile | 1 +
products/rhel9/profiles/pci-dss.profile | 1 +
products/rhel9/profiles/rht-ccp.profile | 1 +
9 files changed, 12 insertions(+)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 7737e67ea51..eee79cf1ef7 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -384,6 +384,9 @@ controls:
- package_sudo_installed
- audit_rules_privileged_commands_sudo
+ # This rule should be present in the profile at least once
+ - sshd_use_directory_configuration
+
- id: R20
levels:
- enhanced
diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
index 622f88e3766..8d7816e5e2d 100644
--- a/products/rhel9/profiles/cis.profile
+++ b/products/rhel9/profiles/cis.profile
@@ -791,6 +791,8 @@ selections:
- file_permissions_sshd_pub_key
# TO DO: check owner of pub keys in /etc/ssh is root:root
+ # Ensure that the configuration is done the right way
+ - sshd_use_directory_configuration
### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
- sshd_set_loglevel_info
diff --git a/products/rhel9/profiles/cjis.profile b/products/rhel9/profiles/cjis.profile
index b45ba19d84f..0aaf7cb0206 100644
--- a/products/rhel9/profiles/cjis.profile
+++ b/products/rhel9/profiles/cjis.profile
@@ -98,6 +98,7 @@ selections:
- dconf_gnome_screensaver_idle_activation_enabled
- dconf_gnome_screensaver_lock_enabled
- dconf_gnome_screensaver_mode_blank
+ - sshd_use_directory_configuration
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile
index 6d87a778eee..3851255ccec 100644
--- a/products/rhel9/profiles/e8.profile
+++ b/products/rhel9/profiles/e8.profile
@@ -126,6 +126,7 @@ selections:
- audit_rules_kernel_module_loading
### Secure access
+ - sshd_use_directory_configuration
- sshd_disable_root_login
- sshd_disable_gssapi_auth
- sshd_print_last_log
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
index 797c62708e2..d1dc18ba33c 100644
--- a/products/rhel9/profiles/hipaa.profile
+++ b/products/rhel9/profiles/hipaa.profile
@@ -39,6 +39,7 @@ selections:
- dconf_db_up_to_date
- dconf_gnome_remote_access_credential_prompt
- dconf_gnome_remote_access_encryption
+ - sshd_use_directory_configuration
- sshd_disable_empty_passwords
- sshd_disable_root_login
- libreswan_approved_tunnels
diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile
index 82e863ad3d3..6fc919da128 100644
--- a/products/rhel9/profiles/ism_o.profile
+++ b/products/rhel9/profiles/ism_o.profile
@@ -56,6 +56,7 @@ selections:
## Authentication hardening
## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
+ - sshd_use_directory_configuration
- sshd_max_auth_tries_value=5
- disable_host_auth
- require_emergency_target_auth
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index adec0cbd774..08ffcccd9e2 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -58,6 +58,7 @@ selections:
### Services
# sshd
+ - sshd_use_directory_configuration
- sshd_disable_root_login
- sshd_enable_strictmodes
- disable_host_auth
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
index 1fe85d39ae0..bd16dc97721 100644
--- a/products/rhel9/profiles/pci-dss.profile
+++ b/products/rhel9/profiles/pci-dss.profile
@@ -105,6 +105,7 @@ selections:
- dconf_gnome_screensaver_idle_activation_enabled
- dconf_gnome_screensaver_lock_enabled
- dconf_gnome_screensaver_mode_blank
+ - sshd_use_directory_configuration
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
- accounts_password_pam_minlen
diff --git a/products/rhel9/profiles/rht-ccp.profile b/products/rhel9/profiles/rht-ccp.profile
index e1d9a70b493..8576975aa54 100644
--- a/products/rhel9/profiles/rht-ccp.profile
+++ b/products/rhel9/profiles/rht-ccp.profile
@@ -87,6 +87,7 @@ selections:
- service_telnet_disabled
- package_telnet-server_removed
- package_telnet_removed
+ - sshd_use_directory_configuration
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
From 470e496f8335c0d017bc82646537b03947b71941 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 11 Aug 2021 16:43:00 +0200
Subject: [PATCH 5/5] Reflect fusion of rhel9 packages
Packages dnf-plugin-subscription-manager and subscription-manager are
merged to subscription-manager in RHEL9 - see
https://bugzilla.redhat.com/show_bug.cgi?id=1847910#c2
---
.../rule.yml | 3 +--
.../package_subscription-manager_installed/rule.yml | 9 ++++++++-
products/rhel9/profiles/ospp.profile | 1 -
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 4f49b3b825d..8b6577226fb 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhel9
+prodtype: rhel8
title: 'Install dnf-plugin-subscription-manager Package'
@@ -17,7 +17,6 @@ severity: medium
identifiers:
cce@rhel8: CCE-82315-3
- cce@rhel9: CCE-89879-1
references:
ism: 0940,1144,1467,1472,1483,1493,1494,1495
diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
index b90a7588270..32e5ce9a129 100644
--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
@@ -12,7 +12,14 @@ rationale: |-
and subscriptions on a local system to help manage subscription assignments.
It communicates with the backend subscription service (the Customer Portal
or an on-premise server such as Subscription Asset Manager) and works with
- content management tools such as yum.
+ content management tools such as {{{ package_manager }}}.
+
+ {{% if product in ["rhel9"] %}}
+ The package provides, among other things, {{{ package_manager }}} plugins
+ to interact with repositories and subscriptions
+ from the Red Hat entitlement platform - the subscription-manager and
+ product-id plugins.
+ {{% endif %}}
severity: medium
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 08ffcccd9e2..1b060c7bf07 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -178,7 +178,6 @@ selections:
- package_aide_installed
- package_dnf-automatic_installed
- package_subscription-manager_installed
- - package_dnf-plugin-subscription-manager_installed
- package_firewalld_installed
- package_openscap-scanner_installed
- package_policycoreutils_installed

29
SOURCES/scap-security-guide-0.1.58-zipl_remediation_applicability-PR_7458.patch Normal file
View File

@ -0,0 +1,29 @@
From d1c2810ca3ba0cea44cc70db34eb80e313408cb5 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 25 Aug 2021 10:59:11 +0200
Subject: [PATCH] Remove package applicability from s390x_arch generated
remediations.
This makes sure that there will be no package applicability check in the
remediations of rules that use the s390x_arch platform applicability,
since the check is made by checking a line in file instead. At this
moment the build system does not allow doing such checks. The side
effect is that Bash and Ansible roles will apply this remediation even
on a system that is not s390_arch, so using OpenSCAP scanner is highly
recommended.
---
ssg/constants.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssg/constants.py b/ssg/constants.py
index 9bb4e1b5f4..adb76bfa8f 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -353,6 +353,7 @@
"uefi": None,
"non-uefi": None,
"not_s390x_arch": None,
+ "s390x_arch": None,
}
# _version_name_map = {

473
SPECS/scap-security-guide.spec Normal file
View File

@ -0,0 +1,473 @@
# SSG build system and tests count with build directory name `build`.
# For more details see:
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
%global _vpath_builddir build
Name: scap-security-guide
Version: 0.1.57
Release: 5%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
BuildArch: noarch
Patch0: scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch
Patch1: scap-security-guide-0.1.58-sshd_directory-PR_6926.patch
Patch2: scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch
Patch3: scap-security-guide-0.1.58-various_fixes-PR_7335.patch
Patch4: scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch
Patch5: scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch
Patch6: scap-security-guide-0.1.58-s390x_arch-PR_7385.patch
Patch7: scap-security-guide-0.1.58-ism_ks-PR_7392.patch
Patch8: scap-security-guide-0.1.58-cis_def-PR_6976.patch
Patch9: scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch
Patch10: scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch
Patch11: scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch
Patch12: scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch
Patch13: scap-security-guide-0.1.58-zipl_remediation_applicability-PR_7458.patch
BuildRequires: libxslt
BuildRequires: expat
BuildRequires: openscap-scanner >= 1.2.5
BuildRequires: cmake >= 2.8
# To get python3 inside the buildroot require its path explicitly in BuildRequires
BuildRequires: /usr/bin/python3
BuildRequires: python%{python3_pkgversion}
BuildRequires: python%{python3_pkgversion}-jinja2
BuildRequires: python%{python3_pkgversion}-PyYAML
Requires: xml-common, openscap-scanner >= 1.2.5
%description
The scap-security-guide project provides a guide for configuration of the
system from the final system's security point of view. The guidance is specified
in the Security Content Automation Protocol (SCAP) format and constitutes
a catalog of practical hardening advice, linked to government requirements
where applicable. The project bridges the gap between generalized policy
requirements and specific implementation guidelines. The system
administrator can use the oscap CLI tool from openscap-scanner package, or the
scap-workbench GUI tool from scap-workbench package to verify that the system
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
further information.
%package doc
Summary: HTML formatted security guides generated from XCCDF benchmarks
Requires: %{name} = %{version}-%{release}
%description doc
The %{name}-doc package contains HTML formatted documents containing
hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package.
%if ( %{defined rhel} && (! %{defined centos}) )
%package rule-playbooks
Summary: Ansible playbooks per each rule.
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
%description rule-playbooks
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
%endif
%prep
%autosetup -p1
%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
%define cmake_defines_specific %{nil}
%if 0%{?rhel}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
%endif
%if 0%{?centos}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
%endif
mkdir -p build
%build
%cmake %{cmake_defines_common} %{cmake_defines_specific}
%cmake_build
%install
%cmake_install
rm %{buildroot}/%{_docdir}/%{name}/README.md
rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%files
%{_datadir}/xml/scap/ssg/content
%{_datadir}/%{name}/kickstart
%{_datadir}/%{name}/ansible/*.yml
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
%doc %{_docdir}/%{name}/LICENSE
%if ( %{defined rhel} && (! %{defined centos}) )
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
%endif
%files doc
%doc %{_docdir}/%{name}/guides/*.html
%doc %{_docdir}/%{name}/tables/*.html
%if ( %{defined rhel} && (! %{defined centos}) )
%files rule-playbooks
%defattr(-,root,root,-)
%{_datadir}/%{name}/ansible/rule_playbooks
%endif
%changelog
* Wed Aug 25 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
- Fix remediations applicability of zipl rules
Resolves: rhbz#1996847
* Tue Aug 24 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-4
- Fix a broken HTTP link
Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
Resolves: rhbz#1962564
* Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
- Use SSHD directory-based configuration.
Resolves: rhbz#1962564
- Introduce ISM kickstarts
Resolves: rhbz#1978290
- Deliver numerous RHEL9 fixes to rules - see related BZs for details.
TLDR: Enable remediations by means of platform metadata,
enable the RHEL9 GPG rule, introduce the s390x platform,
fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
address the subscription-manager package merge, and
enable and select more rules applicable to RHEL9.
Resolves: rhbz#1987227
Resolves: rhbz#1987226
Resolves: rhbz#1987231
Resolves: rhbz#1988289
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.57-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
- Upgrade to the latest upstream release
- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts.
* Wed Jul 07 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-3
- Introduced the playbooks subpackage.
- Enabled CentOS content on CentOS systems.
- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them.
* Mon Jun 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
- Enable more RHEL9 rules and introduce RHEL9 profile stubs
* Wed May 19 2021 Jan Černý <jcerny@redhat.com> - 0.1.56-1
- Upgrade to the latest upstream release
- remove README.md and Contributors.md
- remove SCAP component files
- remove SCAP 1.2 source data streams
- remove HTML guides for the virtual “(default)” profile
- remove profile Bash remediation scripts
- build only RHEL9 content
- remove other products
- use autosetup in %prep phase
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.54-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Feb 12 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-2
- fix definition of build directory
* Fri Feb 05 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-1
- Update to latest upstream SCAP-Security-Guide-0.1.54 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.54
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.53-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 16 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
- Update to latest upstream SCAP-Security-Guide-0.1.53 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53
* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-3
- revert previous rework, it did not solve the problem
* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-2
- rewrite solution for CMake out of source builds
* Mon Sep 21 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-1
- Update to latest upstream SCAP-Security-Guide-0.1.52 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52
* Tue Aug 04 2020 Jan Černý <jcerny@redhat.com> - 0.1.51-4
- Update for new CMake out of source builds
https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
- Fix FTBS in Rawhide/F33 (RHBZ#1863741)
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-3
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jul 17 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.51-1
- Update to latest upstream SCAP-Security-Guide-0.1.51 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.51
* Mon Mar 23 2020 Watson Sato <wsato@redhat.com> - 0.1.49-1
- Update to latest upstream SCAP-Security-Guide-0.1.49 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.49
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.48-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 16 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
- Update to latest upstream SCAP-Security-Guide-0.1.48 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48
* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
- Hotfix of the XML parsing fix.
* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-1
- Update to latest upstream SCAP-Security-Guide-0.1.47 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.47
- Fixed XML parsing of remediation functions.
* Mon Jul 29 2019 Watson Sato <wsato@redhat.com> - 0.1.45-1
- Update to latest upstream SCAP-Security-Guide-0.1.45 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.45
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.44-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon May 06 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.44-1
- Update to latest upstream SCAP-Security-Guide-0.1.44 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44
* Fri Feb 22 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-1
- Update to latest upstream SCAP-Security-Guide-0.1.43 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.43
- Update URL and source URL
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.42-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Dec 12 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.42-1
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
- Fix man page build dependency on derivative content
* Mon Oct 01 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
- Fix Licence of this package
* Wed Jul 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-1
- Update to latest upstream SCAP-Security-Guide-0.1.40 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.40
- Update to use Python3 for build.
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.39-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-2
- Add python version to python2-jinja2 package
* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-1
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-2
- Add python version to python package prefixes
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
- updated to latest upstream release
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
- updated to latest upstream release
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
- updated to latest upstream release
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
- use make_build and make_install RPM macros
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
- update to the latest upstream release
- new default location for content /usr/share/scap/ssg
- install HTML tables in the doc subpackage
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
- Correct currently failing parallel SCAP Security Guide build
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
- Drop shell library for remediation functions since it is not required
starting from 0.1.30 release any more
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
in 0.1.29 upstream release
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
- upgrade to the latest upstream release
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
- update to the latest upstream release
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
- update to the latest upstream release
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
- update to the latest upstream release
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
- update to the latest upstream release
- created doc sub-package to ship all the guides
- start distributing centos and scientific linux content
- rename java content to jre
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
- update to the latest upstream release
- only DataStream file is now available for Fedora
- start distributing security baseline for Firefox
- start distributing security baseline for Java RunTime deployments
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
- update to the latest upstream release
- move content to /usr/share/scap/ssg/content
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
- update to the latest upstream release
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
- require only openscap-scanner, not whole openscap-utils package
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
- Add STIG DISCLAIMER to the shipped documentation
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
- Fix fedora-srpm and fedora-rpm Make targets to work again
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
- EOL for Fedora 18 support
- Include Fedora datastream file for remote Fedora system scans
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
it to /shared
- Add shared remediations for sshd disable empty passwords and
sshd set idle timeout
- Shared remediation for sshd disable root login
- Add empty -compat subpackage to ensure backward-compatibility with
openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
- OVAL check for sshd disable root login
- Fix typo in OVAL check for sshd disable empty passwords
- OVAL check for sshd disable empty passwords
- Unselect no shelllogin for systemaccounts rule from being run by default
- Rename XCCDF rules
- Revert Set up Fedora release name and CPE based on build system properties
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
- Shared OVAL check for Verify that System Executables Have Root Ownership
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
Permissions
- Fix remediation for Disable Prelinking rule
- OVAL check and remediation for sshd's ClientAliveCountMax rule
- OVAL check for sshd's ClientAliveInterval rule
- Include descriptions for permissions section, and rules for checking
permissions and ownership of shared library files and system executables
- Disable selected rules by default
- Add remediation for Disable Prelinking rule
- Adjust service-enable-macro, service-disable-macro XSLT transforms
definition to evaluate to proper systemd syntax
- Fix service_ntpd_enabled OVAL check make validate to pass again
- Include patch from Šimon Lukašík to obsolete openscap-content
package (RH BZ#1028706)
- Add OVAL check to test if there's is remote NTP server configured for
time data
- Add system settings section for the guide (to track system wide
hardening configurations)
- Include disable prelink rule and OVAL check for it
- Initial OVAL check if ntpd service is enabled. Add package_installed
OVAL templating directory structure and functionality.
- Include services section, and XCCDF description for selected ntpd's
sshd's service rules
- Include remediations for login.defs' based password minimum, maximum and
warning age rules
- Include directory structure to support remediations
- Add SCAP "replace or append pattern value in text file based on variable"
remediation script generator
- Add remediation for "Set Password Minimum Length in login.defs" rule
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
- Update versioning scheme - move fedorassgrelease to be part of
upstream version. Rename it to fedorassgversion to avoid name collision
with Fedora package release.
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
- Add .gitignore for Fedora output directory
- Set up Fedora release name and CPE based on build system properties
- Use correct file paths in scap-security-guide(8) manual page
(RH BZ#1018905, c#10)
- Apply further changes motivated by scap-security-guide Fedora RPM review
request (RH BZ#1018905, c#8):
* update package description,
* make content files to be owned by the scap-security-guide package,
* remove Fedora release number from generated content files,
* move HTML form of the guide under the doc directory (together
with that drop fedora/content subdir and place the content
directly under fedora/ subdir).
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
* drop Fedora release from package provided files' final path (c#5),
* drop BuildRoot, selected Requires:, clean section, drop chcon for
manual page, don't gzip man page (c#4),
* change package's description (c#4),
* include PD license text (#c4).
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
- Provide manual page for scap-security-guide
- Remove percent sign from spec's changelog to silence rpmlint warning
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
- Introduce 'Account and Access Control' section
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
rules to Fedora
- Set proper name of the build directory in the spec's setup macro.
- Replace hard-coded paths with macros. Preserve attributes when copying files.
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
- Initial Fedora SSG RPM.