diff --git a/scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch b/scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch new file mode 100644 index 0000000..e2526fc --- /dev/null +++ b/scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch @@ -0,0 +1,31 @@ +From 8466dfa2e6f0f83e848f81f3fb57ee9d97c9e358 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Mon, 16 Aug 2021 15:26:00 +0200 +Subject: [PATCH] Remove a spurious whitespace trim + +The first line of the if- block ended up in the metadata comment. +--- + .../disable_ctrlaltdel_reboot/bash/shared.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh +index 4cbf5c8465..610da67668 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh +@@ -1,8 +1,8 @@ + # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux +-{{%- if init_system == "systemd" -%}} ++{{% if init_system == "systemd" -%}} + systemctl disable --now ctrl-alt-del.target + systemctl mask --now ctrl-alt-del.target +-{{%- else -%}} ++{{%- else %}} + # If system does not contain control-alt-delete.override, + if [ ! -f /etc/init/control-alt-delete.override ]; then + # but does have control-alt-delete.conf file, +@@ -12,4 +12,4 @@ if [ ! -f /etc/init/control-alt-delete.override ]; then + fi + fi + sed -i 's,^exec.*$,exec /usr/bin/logger -p authpriv.notice -t init "Ctrl-Alt-Del was pressed and ignored",' /etc/init/control-alt-delete.override +-{{%- endif -%}} ++{{%- endif %}} diff --git a/scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch b/scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch new file mode 100644 index 0000000..a1a7742 --- /dev/null +++ b/scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch @@ -0,0 +1,28 @@ +From 041c151df78653f807249cb7cc6cfc3f46a7b168 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 3 Aug 2021 16:50:23 +0200 +Subject: [PATCH] add details about gpgkey package for rhel9 + +--- + products/rhel9/product.yml | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml +index 78c65fd805..4ceb332adf 100644 +--- a/products/rhel9/product.yml ++++ b/products/rhel9/product.yml +@@ -13,10 +13,10 @@ init_system: "systemd" + dconf_gdm_dir: "distro.d" + + # The fingerprints below are retrieved from https://access.redhat.com/security/team/key +-pkg_release: "" +-pkg_version: "" +-aux_pkg_release: "" +-aux_pkg_version: "" ++pkg_release: "4ae0493b" ++pkg_version: "fd431d51" ++aux_pkg_release: "5b32db75" ++aux_pkg_version: "d4082792" + + release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" + auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" diff --git a/scap-security-guide-0.1.58-ism_ks-PR_7392.patch b/scap-security-guide-0.1.58-ism_ks-PR_7392.patch new file mode 100644 index 0000000..e38943c --- /dev/null +++ b/scap-security-guide-0.1.58-ism_ks-PR_7392.patch @@ -0,0 +1,256 @@ +From 86e1556555fde19d3b6bfa7e280c8d9faf6243d3 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Mon, 16 Aug 2021 13:08:10 +0200 +Subject: [PATCH] Add ISM Official kickstarts + +--- + .../rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg | 116 ++++++++++++++++++ + .../rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg | 116 ++++++++++++++++++ + 2 files changed, 232 insertions(+) + create mode 100644 products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg + create mode 100644 products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg + +diff --git a/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg +new file mode 100644 +index 0000000000..d84d98b12d +--- /dev/null ++++ b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg +@@ -0,0 +1,116 @@ ++# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 8 Server ++# Version: 0.0.1 ++# Date: 2021-08-16 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with Essential Eight profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_ism_o ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg +new file mode 100644 +index 0000000000..517919539a +--- /dev/null ++++ b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg +@@ -0,0 +1,116 @@ ++# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 9 Server ++# Version: 0.0.1 ++# Date: 2021-08-16 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with Essential Eight profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_ism_o ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/scap-security-guide-0.1.58-s390x_arch-PR_7385.patch b/scap-security-guide-0.1.58-s390x_arch-PR_7385.patch new file mode 100644 index 0000000..0336950 --- /dev/null +++ b/scap-security-guide-0.1.58-s390x_arch-PR_7385.patch @@ -0,0 +1,186 @@ +From cc74d1a5735272c7fe50bff4bb0c2fe049c1f868 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 12 Aug 2021 15:05:35 +0200 +Subject: [PATCH 1/3] Add cpe platform for s390x arch + +--- + .../guide/system/bootloader-zipl/group.yml | 2 +- + shared/applicability/arch.yml | 12 +++++++ + shared/applicability/general.yml | 5 --- + ...oc_sys_kernel_osrelease_arch_not_s390x.xml | 22 ++----------- + .../proc_sys_kernel_osrelease_arch_s390x.xml | 33 +++++++++++++++++++ + 5 files changed, 48 insertions(+), 26 deletions(-) + create mode 100644 shared/applicability/arch.yml + create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml + +diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml +index 64c6c8dffbe..4f8ce753726 100644 +--- a/linux_os/guide/system/bootloader-zipl/group.yml ++++ b/linux_os/guide/system/bootloader-zipl/group.yml +@@ -8,4 +8,4 @@ description: |- + options to it. + The default {{{ full_name }}} boot loader for s390x systems is called zIPL. + +-platform: zipl ++platform: s390x_arch +diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml +new file mode 100644 +index 00000000000..48b2aa3ef30 +--- /dev/null ++++ b/shared/applicability/arch.yml +@@ -0,0 +1,12 @@ ++cpes: ++ ++ - not_s390x_arch: ++ name: "cpe:/a:not_s390x_arch" ++ title: "System architecture is not S390X" ++ check_id: proc_sys_kernel_osrelease_arch_not_s390x ++ ++ - s390x_arch: ++ name: "cpe:/a:s390x_arch" ++ title: "System architecture is S390X" ++ check_id: proc_sys_kernel_osrelease_arch_s390x ++ +diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml +index 7382b7dd302..6e3ecfd9bf9 100644 +--- a/shared/applicability/general.yml ++++ b/shared/applicability/general.yml +@@ -24,11 +24,6 @@ cpes: + title: "Package net-snmp is installed" + check_id: installed_env_has_net-snmp_package + +- - not_s390x_arch: +- name: "cpe:/a:not_s390x_arch" +- title: "System architecture is not S390X" +- check_id: proc_sys_kernel_osrelease_arch_not_s390x +- + - nss-pam-ldapd: + name: "cpe:/a:nss-pam-ldapd" + title: "Package nss-pam-ldapd is installed" +diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml +index 1fc625a1e75..d95ce249c49 100644 +--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml ++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml +@@ -9,26 +9,8 @@ + Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x + + +- ++ + + +- +- +- +- +- +- +- /proc/sys/kernel/osrelease +- ^.*\.(.*)$ +- 1 +- +- +- +- ^s390x$ +- +- + +diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml +new file mode 100644 +index 00000000000..abc6f1b0b88 +--- /dev/null ++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml +@@ -0,0 +1,33 @@ ++ ++ ++ ++ Test for different architecture than s390x ++ ++ multi_platform_all ++ ++ Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /proc/sys/kernel/osrelease ++ ^.*\.(.*)$ ++ 1 ++ ++ ++ ++ ^s390x$ ++ ++ + +From 527728eb84fc152bec4ef49b244999f763dc901f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 12 Aug 2021 16:16:11 +0200 +Subject: [PATCH 2/3] Remove zipl CPE platform + +The package names for zipl changed recently. +As zipl is an s390 exclusive, lets use the arch check instead of +package name check. +--- + shared/applicability/bootloaders.yml | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/shared/applicability/bootloaders.yml b/shared/applicability/bootloaders.yml +index 57832118447..6856578621c 100644 +--- a/shared/applicability/bootloaders.yml ++++ b/shared/applicability/bootloaders.yml +@@ -4,8 +4,3 @@ cpes: + name: "cpe:/a:grub2" + title: "Package grub2 is installed" + check_id: installed_env_has_grub2_package +- +- - zipl: +- name: "cpe:/a:zipl" +- title: "System uses zipl" +- check_id: installed_env_has_zipl_package + +From 985090ffcf34c1d27c526760ef5009605060b3f1 Mon Sep 17 00:00:00 2001 +From: Watson Yuuma Sato +Date: Tue, 17 Aug 2021 19:53:59 +0200 +Subject: [PATCH 3/3] Fix typo in check title +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml + +Co-authored-by: Jan Černý +--- + shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml +index abc6f1b0b88..7f416de6475 100644 +--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml ++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml +@@ -2,7 +2,7 @@ + + +- Test for different architecture than s390x ++ Test that the architecture is s390x + + multi_platform_all + diff --git a/scap-security-guide-0.1.58-various_fixes-PR_7335.patch b/scap-security-guide-0.1.58-various_fixes-PR_7335.patch new file mode 100644 index 0000000..56d209c --- /dev/null +++ b/scap-security-guide-0.1.58-various_fixes-PR_7335.patch @@ -0,0 +1,942 @@ +From 089c47d6301bb53bb182cbdacf72968979547994 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Fri, 30 Jul 2021 16:57:13 +0200 +Subject: [PATCH 1/5] Enable more RHEL9 content + +--- + .../ssh/ssh_client/ssh_client_rekey_limit/rule.yml | 3 ++- + .../disable_ctrlaltdel_burstaction/bash/shared.sh | 2 +- + .../disable_ctrlaltdel_reboot/bash/shared.sh | 4 ---- + .../smart_card_login/package_pcsc-lite_installed/rule.yml | 3 ++- + .../smart_card_login/service_pcscd_enabled/rule.yml | 3 ++- + .../root_logins/use_pam_wheel_for_su/rule.yml | 3 ++- + .../user_umask/accounts_umask_etc_csh_cshrc/rule.yml | 3 ++- + .../installed_OS_is_FIPS_certified/oval/shared.xml | 1 + + .../rule.yml | 3 ++- + products/rhel9/profiles/hipaa.profile | 6 +++--- + products/rhel9/profiles/ospp.profile | 8 ++++---- + products/rhel9/profiles/pci-dss.profile | 4 ++-- + shared/references/cce-redhat-avail.txt | 6 ------ + 13 files changed, 23 insertions(+), 26 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml +index f43f92c2f15..c0fbe2c5e34 100644 +--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhel8,rhel9,rhcos4 + + title: 'Configure session renegotiation for SSH client' + +@@ -27,6 +27,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82880-6 ++ cce@rhel9: CCE-87522-9 + + references: + disa: CCI-000068 +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh +index 7d4faedfb47..d8063726fb4 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol ++# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh +index 94767ad5993..4cbf5c84651 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh +@@ -1,9 +1,5 @@ + # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux + {{%- if init_system == "systemd" -%}} +-{{% if product in ["rhel7", "rhel8"] %}} +-# The process to disable ctrl+alt+del has changed in RHEL7. +-# Reference: https://access.redhat.com/solutions/1123873 +-{{% endif %}} + systemctl disable --now ctrl-alt-del.target + systemctl mask --now ctrl-alt-del.target + {{%- else -%}} +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +index 0652fbeadaf..9c6534cf401 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 + + title: 'Install the pcsc-lite package' + +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82347-6 + cce@rhel8: CCE-80993-9 ++ cce@rhel9: CCE-86280-5 + + references: + disa: CCI-001954 +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +index e14db48c22a..6472ade5791 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 + + title: 'Enable the pcscd Service' + +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80569-7 + cce@rhel8: CCE-80881-6 ++ cce@rhel9: CCE-87907-2 + + references: + disa: CCI-001954 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +index a6862c2af25..984a8cf333e 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,ubuntu2004 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004 + + title: 'Enforce usage of pam_wheel for su authentication' + +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-85855-5 + cce@rhel8: CCE-83318-6 ++ cce@rhel9: CCE-90085-2 + + references: + cis@rhel7: "5.7" +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml +index 1b71c7d3acd..3779b396b4e 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,sle15,ubuntu2004 ++prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15,ubuntu2004 + + title: 'Ensure the Default C Shell Umask is Set Correctly' + +@@ -20,6 +20,7 @@ identifiers: + cce@rhcos4: CCE-84261-7 + cce@rhel7: CCE-80203-3 + cce@rhel8: CCE-81037-4 ++ cce@rhel9: CCE-87721-7 + + references: + cis-csc: '18' +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml +index a65bec7348c..3a4847ff9d8 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml +@@ -6,6 +6,7 @@ + + + ++ + + + +diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml +index 8b6577226fb..4f49b3b825d 100644 +--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8 ++prodtype: rhel8,rhel9 + + title: 'Install dnf-plugin-subscription-manager Package' + +@@ -17,6 +17,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82315-3 ++ cce@rhel9: CCE-89879-1 + + references: + ism: 0940,1144,1467,1472,1483,1493,1494,1495 +diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile +index 1e0ea047b98..797c62708e2 100644 +--- a/products/rhel9/profiles/hipaa.profile ++++ b/products/rhel9/profiles/hipaa.profile +@@ -33,9 +33,9 @@ selections: + - require_singleuser_auth + - restrict_serial_port_logins + - securetty_root_login_console_only +- - service_debug-shell_disabled # not supported in RHEL9 ATM +- - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM +- - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM ++ - service_debug-shell_disabled ++ - disable_ctrlaltdel_reboot ++ - disable_ctrlaltdel_burstaction + - dconf_db_up_to_date + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 0ae391c60bf..adec0cbd774 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -107,7 +107,7 @@ selections: + - var_accounts_user_umask=027 + - accounts_umask_etc_profile + - accounts_umask_etc_bashrc +-# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM ++ - accounts_umask_etc_csh_cshrc + + ### Software update + - ensure_redhat_gpgkey_installed +@@ -177,7 +177,7 @@ selections: + - package_aide_installed + - package_dnf-automatic_installed + - package_subscription-manager_installed +-# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM ++ - package_dnf-plugin-subscription-manager_installed + - package_firewalld_installed + - package_openscap-scanner_installed + - package_policycoreutils_installed +@@ -221,7 +221,7 @@ selections: + - securetty_root_login_console_only + - var_password_pam_unix_remember=5 + - accounts_password_pam_unix_remember +-# - use_pam_wheel_for_su # not supported in RHEL9 ATM ++ - use_pam_wheel_for_su + + ### SELinux Configuration + - var_selinux_state=enforcing +@@ -422,7 +422,7 @@ selections: + - kerberos_disable_no_keytab + + # set ssh client rekey limit +-# - ssh_client_rekey_limit # not supported in RHEL9 ATM ++ - ssh_client_rekey_limit + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour + +diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile +index af347501989..1fe85d39ae0 100644 +--- a/products/rhel9/profiles/pci-dss.profile ++++ b/products/rhel9/profiles/pci-dss.profile +@@ -121,8 +121,8 @@ selections: + - var_smartcard_drivers=cac + - configure_opensc_card_drivers + - force_opensc_card_drivers +-# - package_pcsc-lite_installed # not supported in RHEL9 ATM +-# - service_pcscd_enabled # not supported in RHEL9 ATM ++ - package_pcsc-lite_installed ++ - service_pcscd_enabled + - sssd_enable_smartcards + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_logindefs +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index aa0b30da834..e78838a45aa 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -396,7 +396,6 @@ CCE-86276-3 + CCE-86277-1 + CCE-86278-9 + CCE-86279-7 +-CCE-86280-5 + CCE-86281-3 + CCE-86282-1 + CCE-86283-9 +@@ -1618,7 +1617,6 @@ CCE-87518-7 + CCE-87519-5 + CCE-87520-3 + CCE-87521-1 +-CCE-87522-9 + CCE-87523-7 + CCE-87525-2 + CCE-87526-0 +@@ -1812,7 +1810,6 @@ CCE-87717-5 + CCE-87718-3 + CCE-87719-1 + CCE-87720-9 +-CCE-87721-7 + CCE-87722-5 + CCE-87723-3 + CCE-87724-1 +@@ -1994,7 +1991,6 @@ CCE-87903-1 + CCE-87904-9 + CCE-87905-6 + CCE-87906-4 +-CCE-87907-2 + CCE-87908-0 + CCE-87909-8 + CCE-87910-6 +@@ -3932,7 +3928,6 @@ CCE-89874-2 + CCE-89875-9 + CCE-89877-5 + CCE-89878-3 +-CCE-89879-1 + CCE-89880-9 + CCE-89881-7 + CCE-89882-5 +@@ -4135,7 +4130,6 @@ CCE-90081-1 + CCE-90082-9 + CCE-90083-7 + CCE-90084-5 +-CCE-90085-2 + CCE-90086-0 + CCE-90087-8 + CCE-90088-6 + +From 190cad8bc4ef957583b9e29c1508a1be43660388 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Wed, 4 Aug 2021 16:30:45 +0200 +Subject: [PATCH 2/5] Fix remediation platforms of RHEL9 rules + +--- + .../configure_bashrc_exec_tmux/bash/shared.sh | 2 +- + .../configure_tmux_lock_after_time/bash/shared.sh | 2 +- + .../configure_tmux_lock_command/bash/shared.sh | 2 +- + .../console_screen_locking/no_tmux_in_shells/bash/shared.sh | 2 +- + .../software/integrity/fips/enable_fips_mode/bash/shared.sh | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh +index 0c544bfbb82..737d725872d 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 ++# platform = multi_platform_all + + if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then + cat >> /etc/bashrc <<'EOF' +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh +index 233047afcbc..947e1dd7ee5 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 ++# platform = multi_platform_all + + tmux_conf="/etc/tmux.conf" + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh +index f2430618ab3..0c11c1224e2 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora ++# platform = multi_platform_all + + tmux_conf="/etc/tmux.conf" + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh +index 45c43e8d374..60e0a7e34c8 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 ++# platform = multi_platform_all + + if grep -q 'tmux$' /etc/shells ; then + sed -i '/tmux$/d' /etc/shells +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh +index 87476a7b315..c98847ded72 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh +@@ -1,3 +1,3 @@ +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4 ++# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4 + + fips-mode-setup --enable + +From 5b23f796b261325ad27b3c1684d3c9430a42679f Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Wed, 4 Aug 2021 17:56:57 +0200 +Subject: [PATCH 3/5] Update the grub config path + +RHEL9 and Fedora EFI/legacy grub paths have been unified: +https://fedoraproject.org/wiki/Changes/UnifyGrubConfig + +The location of Ubuntu EFI grub paths has been estimated from +https://askubuntu.com/questions/1028742/update-grub-does-not-update-boot-efi-efi-ubuntu-grub-cfg + +Location of SLE EFI grub paths has been taken from existing rules +--- + .../grub2_uefi_admin_username/oval/shared.xml | 16 ++++--------- + .../uefi/grub2_uefi_admin_username/rule.yml | 2 +- + .../uefi/grub2_uefi_password/oval/shared.xml | 24 +++++++------------ + .../uefi/grub2_uefi_password/rule.yml | 10 ++++---- + .../uefi_no_removeable_media/oval/shared.xml | 16 ++++--------- + products/fedora/product.yml | 2 ++ + products/rhel7/product.yml | 2 ++ + products/rhel8/product.yml | 2 ++ + products/rhel9/product.yml | 2 ++ + products/sle12/product.yml | 2 ++ + products/sle15/product.yml | 1 + + products/ubuntu1604/product.yml | 1 + + products/ubuntu1804/product.yml | 1 + + products/ubuntu2004/product.yml | 1 + + ssg/constants.py | 1 + + ssg/products.py | 4 ++++ + tests/shared/grub2.sh | 10 +++++--- + 17 files changed, 50 insertions(+), 47 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml +index 8545e8ab2c7..7950c15a848 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml +@@ -1,26 +1,20 @@ +-{{% if product == "fedora" %}} +-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}} +-{{% else %}} +-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}} +-{{% endif %}} +- + + + {{{ oval_metadata("The grub2 boot loader superuser should have a username that is hard to guess.") }}} + + +- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}} +- ++ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}} ++ + + + +- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}} ++ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}} + +- ++ + + + +- {{{ grub_cfg_prefix + "/grub.cfg" }}} ++ {{{ grub2_uefi_boot_path + "/grub.cfg" }}} + ^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$ + 1 + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index 8a98cbdc95f..128d7cc1cb8 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -20,7 +20,7 @@ description: |- + Once the superuser account has been added, + update the + grub.cfg file by running: +-
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
++
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+ + rationale: |- + Having a non-default grub superuser username makes password-guessing attacks less effective. +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml +index 230aab73139..a67c8ad99bb 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml +@@ -1,32 +1,26 @@ +-{{% if product == "fedora" %}} +-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}} +-{{% else %}} +-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}} +-{{% endif %}} +- + + + {{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}} + + +- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}} ++ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}} + + +- +- ++ ++ + +- ++ + + + + +- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}} ++ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}} + +- ++ + + + +- {{{ grub_cfg_prefix }}}/grub.cfg ++ {{{ grub2_uefi_boot_path }}}/grub.cfg + ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$ + 1 + +@@ -35,7 +29,7 @@ + + + +- {{{ grub_cfg_prefix }}}/user.cfg ++ {{{ grub2_uefi_boot_path }}}/user.cfg + ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ + 1 + +@@ -44,7 +38,7 @@ + +
+ +- {{{ grub_cfg_prefix }}}/grub.cfg ++ {{{ grub2_uefi_boot_path }}}/grub.cfg + ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ + 1 + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +index cb0d60c3ddf..cc68441e5ad 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +@@ -31,10 +31,8 @@ description: |- + grub.cfg file by running: + {{% if "ubuntu" in product %}} +
update-grub
+- {{% elif product in ["sle12", "sle15"] %}} +-
grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg
+ {{% else %}} +-
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
++
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+ {{% endif %}} + + rationale: |- +@@ -91,18 +89,18 @@ ocil: |- + To verify the boot loader superuser account password has been set, + and the password encrypted, run the following command: + {{% if product in ["sle12", "sle15"] %}} +-
sudo cat /boot/efi/EFI/sles/grub.cfg
++
sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg
+ The output should be similar to: +
password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
+     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
+     916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
+     0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
+ {{% elif "ubuntu" in product %}} +-
grep -i password /boot/grub/grub.cfg
++
grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg
+ The output should contain something similar to: +
password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG
+ {{% else %}} +-
sudo cat /boot/efi/EFI/redhat/user.cfg
++
sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg
+ The output should be similar to: +
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
+     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
+index 72872d907e3..89a9fae86ec 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
+@@ -1,27 +1,21 @@
+-{{% if product == "fedora" %}}
+-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
+-{{% else %}}
+-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
+-{{% endif %}}
+-
+ 
+   
+     {{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
+     
+-      
+-      {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
++      
++      {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
+     
+   
+ 
+   
+   
+   
+   
+ 
+   
+-    {{{ grub_cfg_prefix + "/grub.cfg" }}}
++    {{{ grub2_uefi_boot_path + "/grub.cfg" }}}
+     ^[ \t]*set root=(.+?)[ \t]*(?:$|#)
+     1
+   
+@@ -30,5 +24,5 @@
+     ^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$
+   
+ 
+-  {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
++  {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
+ 
+diff --git a/products/fedora/product.yml b/products/fedora/product.yml
+index 0cb53c5331e..ea8e98eea78 100644
+--- a/products/fedora/product.yml
++++ b/products/fedora/product.yml
+@@ -10,6 +10,8 @@ pkg_manager: "dnf"
+ 
+ init_system: "systemd"
+ 
++grub2_boot_path: "/boot/grub2"
++
+ dconf_gdm_dir: "distro.d"
+ 
+ cpes_root: "../../shared/applicability"
+diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
+index fb5d17786da..6438797f218 100644
+--- a/products/rhel7/product.yml
++++ b/products/rhel7/product.yml
+@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
+ oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"
+ 
++grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
++
+ cpes_root: "../../shared/applicability"
+ cpes:
+   - rhel7:
+diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
+index 78c987b2457..f6d2102558d 100644
+--- a/products/rhel8/product.yml
++++ b/products/rhel8/product.yml
+@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+ oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
+ 
++grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
++
+ cpes_root: "../../shared/applicability"
+ cpes:
+   - rhel8:
+diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
+index 4ceb332adf3..6b5a15d5cee 100644
+--- a/products/rhel9/product.yml
++++ b/products/rhel9/product.yml
+@@ -10,6 +10,8 @@ pkg_manager: "dnf"
+ 
+ init_system: "systemd"
+ 
++grub2_boot_path: "/boot/grub2"
++
+ dconf_gdm_dir: "distro.d"
+ 
+ # The fingerprints below are retrieved from https://access.redhat.com/security/team/key
+diff --git a/products/sle12/product.yml b/products/sle12/product.yml
+index d1301a17f91..b9e44e0725c 100644
+--- a/products/sle12/product.yml
++++ b/products/sle12/product.yml
+@@ -12,6 +12,8 @@ pkg_manager: "zypper"
+ pkg_manager_config_file: "/etc/zypp/zypp.conf"
+ oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml"
+ 
++grub2_uefi_boot_path: "/boot/efi/EFI/sles"
++
+ cpes_root: "../../shared/applicability"
+ cpes:
+   - sle12-server:
+diff --git a/products/ubuntu1604/product.yml b/products/ubuntu1604/product.yml
+index 827a875d493..36ec98397f6 100644
+--- a/products/ubuntu1604/product.yml
++++ b/products/ubuntu1604/product.yml
+@@ -12,6 +12,7 @@ init_system: "systemd"
+ oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml"
+ 
+ grub2_boot_path: "/boot/grub"
++grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
+ 
+ cpes_root: "../../shared/applicability"
+ cpes:
+diff --git a/products/ubuntu1804/product.yml b/products/ubuntu1804/product.yml
+index 68922441a2a..f1671b8d7dd 100644
+--- a/products/ubuntu1804/product.yml
++++ b/products/ubuntu1804/product.yml
+@@ -11,6 +11,7 @@ pkg_manager: "apt_get"
+ init_system: "systemd"
+ 
+ grub2_boot_path: "/boot/grub"
++grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
+ 
+ cpes_root: "../../shared/applicability"
+ cpes:
+diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
+index 15565b6748f..d75624d70a3 100644
+--- a/products/ubuntu2004/product.yml
++++ b/products/ubuntu2004/product.yml
+@@ -12,6 +12,7 @@ init_system: "systemd"
+ oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml"
+ 
+ grub2_boot_path: "/boot/grub"
++grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
+ 
+ cpes_root: "../../shared/applicability"
+ cpes:
+diff --git a/ssg/constants.py b/ssg/constants.py
+index 666d7a4d3c8..f9c978a22a2 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -383,4 +383,5 @@
+ # Application constants
+ DEFAULT_UID_MIN = 1000
+ DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2'
++DEFAULT_GRUB2_UEFI_BOOT_PATH = '/boot/grub2'
+ DEFAULT_DCONF_GDM_DIR = 'gdm.d'
+diff --git a/ssg/products.py b/ssg/products.py
+index 25178b741b2..fb55f5c2f4b 100644
+--- a/ssg/products.py
++++ b/ssg/products.py
+@@ -9,6 +9,7 @@
+ from .constants import (product_directories,
+                         DEFAULT_UID_MIN,
+                         DEFAULT_GRUB2_BOOT_PATH,
++                        DEFAULT_GRUB2_UEFI_BOOT_PATH,
+                         DEFAULT_DCONF_GDM_DIR,
+                         PKG_MANAGER_TO_SYSTEM,
+                         PKG_MANAGER_TO_CONFIG_FILE,
+@@ -48,6 +49,9 @@ def _get_implied_properties(existing_properties):
+     if "grub2_boot_path" not in existing_properties:
+         result["grub2_boot_path"] = DEFAULT_GRUB2_BOOT_PATH
+ 
++    if "grub2_uefi_boot_path" not in existing_properties:
++        result["grub2_uefi_boot_path"] = DEFAULT_GRUB2_UEFI_BOOT_PATH
++
+     if "dconf_gdm_dir" not in existing_properties:
+         result["dconf_gdm_dir"] = DEFAULT_DCONF_GDM_DIR
+ 
+diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
+index bce7683a7c1..f024b3766cf 100644
+--- a/tests/shared/grub2.sh
++++ b/tests/shared/grub2.sh
+@@ -2,9 +2,13 @@ test -n "$GRUB_CFG_ROOT" || GRUB_CFG_ROOT=/boot/grub2
+ 
+ function set_grub_uefi_root {
+ 	if grep NAME /etc/os-release | grep -iq fedora; then
+-		GRUB_CFG_ROOT=/boot/efi/EFI/fedora
+-	else
+-		GRUB_CFG_ROOT=/boot/efi/EFI/redhat
++		GRUB_CFG_ROOT=/boot/grub2
++	elif grep NAME /etc/os-release | grep -iq "Red Hat"; then
++		if grep VERSION /etc/os-release | grep -q '9\.0'; then
++			GRUB_CFG_ROOT=/boot/grub2
++		else
++			GRUB_CFG_ROOT=/boot/efi/EFI/redhat
++		fi
+ 	fi
+ }
+ 
+
+From a838226fc6b082ab73990613294328db49463c2b Mon Sep 17 00:00:00 2001
+From: Matej Tyc 
+Date: Thu, 5 Aug 2021 17:59:39 +0200
+Subject: [PATCH 4/5] Add the sshd directory configuration rule
+
+Remediations of other sshd rules assumes that sshd is configured using
+multiple files as opposed to one huge file, and this rule
+makes sure that the assumption is guarded.
+---
+ controls/anssi.yml                      | 3 +++
+ products/rhel9/profiles/cis.profile     | 2 ++
+ products/rhel9/profiles/cjis.profile    | 1 +
+ products/rhel9/profiles/e8.profile      | 1 +
+ products/rhel9/profiles/hipaa.profile   | 1 +
+ products/rhel9/profiles/ism_o.profile   | 1 +
+ products/rhel9/profiles/ospp.profile    | 1 +
+ products/rhel9/profiles/pci-dss.profile | 1 +
+ products/rhel9/profiles/rht-ccp.profile | 1 +
+ 9 files changed, 12 insertions(+)
+
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index 7737e67ea51..eee79cf1ef7 100644
+--- a/controls/anssi.yml
++++ b/controls/anssi.yml
+@@ -384,6 +384,9 @@ controls:
+     - package_sudo_installed
+     - audit_rules_privileged_commands_sudo
+ 
++    # This rule should be present in the profile at least once
++    - sshd_use_directory_configuration
++
+   - id: R20
+     levels:
+     - enhanced
+diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
+index 622f88e3766..8d7816e5e2d 100644
+--- a/products/rhel9/profiles/cis.profile
++++ b/products/rhel9/profiles/cis.profile
+@@ -791,6 +791,8 @@ selections:
+     - file_permissions_sshd_pub_key
+     # TO DO: check owner of pub keys in /etc/ssh is root:root
+ 
++    # Ensure that the configuration is done the right way
++    - sshd_use_directory_configuration
+     ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
+     - sshd_set_loglevel_info
+ 
+diff --git a/products/rhel9/profiles/cjis.profile b/products/rhel9/profiles/cjis.profile
+index b45ba19d84f..0aaf7cb0206 100644
+--- a/products/rhel9/profiles/cjis.profile
++++ b/products/rhel9/profiles/cjis.profile
+@@ -98,6 +98,7 @@ selections:
+     - dconf_gnome_screensaver_idle_activation_enabled
+     - dconf_gnome_screensaver_lock_enabled
+     - dconf_gnome_screensaver_mode_blank
++    - sshd_use_directory_configuration
+     - sshd_allow_only_protocol2
+     - sshd_set_idle_timeout
+     - var_sshd_set_keepalive=0
+diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile
+index 6d87a778eee..3851255ccec 100644
+--- a/products/rhel9/profiles/e8.profile
++++ b/products/rhel9/profiles/e8.profile
+@@ -126,6 +126,7 @@ selections:
+   - audit_rules_kernel_module_loading
+ 
+   ### Secure access
++  - sshd_use_directory_configuration
+   - sshd_disable_root_login
+   - sshd_disable_gssapi_auth
+   - sshd_print_last_log
+diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
+index 797c62708e2..d1dc18ba33c 100644
+--- a/products/rhel9/profiles/hipaa.profile
++++ b/products/rhel9/profiles/hipaa.profile
+@@ -39,6 +39,7 @@ selections:
+     - dconf_db_up_to_date
+     - dconf_gnome_remote_access_credential_prompt
+     - dconf_gnome_remote_access_encryption
++    - sshd_use_directory_configuration
+     - sshd_disable_empty_passwords
+     - sshd_disable_root_login
+     - libreswan_approved_tunnels
+diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile
+index 82e863ad3d3..6fc919da128 100644
+--- a/products/rhel9/profiles/ism_o.profile
++++ b/products/rhel9/profiles/ism_o.profile
+@@ -56,6 +56,7 @@ selections:
+   ## Authentication hardening
+   ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
+   ## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
++  - sshd_use_directory_configuration
+   - sshd_max_auth_tries_value=5
+   - disable_host_auth
+   - require_emergency_target_auth
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index adec0cbd774..08ffcccd9e2 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -58,6 +58,7 @@ selections:
+ 
+     ### Services
+     # sshd
++    - sshd_use_directory_configuration
+     - sshd_disable_root_login
+     - sshd_enable_strictmodes
+     - disable_host_auth
+diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
+index 1fe85d39ae0..bd16dc97721 100644
+--- a/products/rhel9/profiles/pci-dss.profile
++++ b/products/rhel9/profiles/pci-dss.profile
+@@ -105,6 +105,7 @@ selections:
+     - dconf_gnome_screensaver_idle_activation_enabled
+     - dconf_gnome_screensaver_lock_enabled
+     - dconf_gnome_screensaver_mode_blank
++    - sshd_use_directory_configuration
+     - sshd_set_idle_timeout
+     - var_sshd_set_keepalive=0
+     - accounts_password_pam_minlen
+diff --git a/products/rhel9/profiles/rht-ccp.profile b/products/rhel9/profiles/rht-ccp.profile
+index e1d9a70b493..8576975aa54 100644
+--- a/products/rhel9/profiles/rht-ccp.profile
++++ b/products/rhel9/profiles/rht-ccp.profile
+@@ -87,6 +87,7 @@ selections:
+     - service_telnet_disabled
+     - package_telnet-server_removed
+     - package_telnet_removed
++    - sshd_use_directory_configuration
+     - sshd_allow_only_protocol2
+     - sshd_set_idle_timeout
+     - var_sshd_set_keepalive=0
+
+From 470e496f8335c0d017bc82646537b03947b71941 Mon Sep 17 00:00:00 2001
+From: Matej Tyc 
+Date: Wed, 11 Aug 2021 16:43:00 +0200
+Subject: [PATCH 5/5] Reflect fusion of rhel9 packages
+
+Packages dnf-plugin-subscription-manager and subscription-manager are
+merged to subscription-manager in RHEL9 - see
+https://bugzilla.redhat.com/show_bug.cgi?id=1847910#c2
+---
+ .../rule.yml                                             | 3 +--
+ .../package_subscription-manager_installed/rule.yml      | 9 ++++++++-
+ products/rhel9/profiles/ospp.profile                     | 1 -
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+index 4f49b3b825d..8b6577226fb 100644
+--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
++++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: rhel8,rhel9
++prodtype: rhel8
+ 
+ title: 'Install dnf-plugin-subscription-manager Package'
+ 
+@@ -17,7 +17,6 @@ severity: medium
+ 
+ identifiers:
+     cce@rhel8: CCE-82315-3
+-    cce@rhel9: CCE-89879-1
+ 
+ references:
+     ism: 0940,1144,1467,1472,1483,1493,1494,1495
+diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
+index b90a7588270..32e5ce9a129 100644
+--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
++++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
+@@ -12,7 +12,14 @@ rationale: |-
+     and subscriptions on a local system to help manage subscription assignments.
+     It communicates with the backend subscription service (the Customer Portal
+     or an on-premise server such as Subscription Asset Manager) and works with
+-    content management tools such as yum.
++    content management tools such as {{{ package_manager }}}.
++
++    {{% if product in ["rhel9"] %}}
++    The package provides, among other things, {{{ package_manager }}} plugins
++    to interact with repositories and subscriptions
++    from the Red Hat entitlement platform - the subscription-manager and
++    product-id plugins.
++    {{% endif %}}
+ 
+ severity: medium
+ 
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 08ffcccd9e2..1b060c7bf07 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -178,7 +178,6 @@ selections:
+     - package_aide_installed
+     - package_dnf-automatic_installed
+     - package_subscription-manager_installed
+-    - package_dnf-plugin-subscription-manager_installed
+     - package_firewalld_installed
+     - package_openscap-scanner_installed
+     - package_policycoreutils_installed
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index fbbb354..13133fd 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -5,7 +5,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.57
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -15,6 +15,11 @@ BuildArch:	noarch
 Patch0:		scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch
 Patch1:		scap-security-guide-0.1.58-sshd_directory-PR_6926.patch
 Patch2:		scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch
+Patch3:		scap-security-guide-0.1.58-various_fixes-PR_7335.patch
+Patch4:		scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch
+Patch5:		scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch
+Patch6:		scap-security-guide-0.1.58-s390x_arch-PR_7385.patch
+Patch7:		scap-security-guide-0.1.58-ism_ks-PR_7392.patch
 
 BuildRequires:	libxslt
 BuildRequires:	expat
@@ -101,6 +106,22 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 
 %changelog
+* Tue Aug 17 2021 Matej Tyc  - 0.1.57-3
+- Use SSHD directory-based configuration.
+  Resolves: rhbz#1962564
+- Introduce ISM kickstarts
+  Resolves: rhbz#1978290
+- Deliver numerous RHEL9 fixes to rules - see related BZs for details.
+  TLDR: Enable remediations by means of platform metadata,
+  enable the RHEL9 GPG rule, introduce the s390x platform,
+  fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
+  address the subscription-manager package merge, and
+  enable and select more rules applicable to RHEL9.
+  Resolves: rhbz#1987227
+  Resolves: rhbz#1987226
+  Resolves: rhbz#1987231
+  Resolves: rhbz#1988289
+
 * Tue Aug 10 2021 Mohan Boddu  - 0.1.57-2
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688