rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Deliver numerous RHEL9 fixes to rules

Browse Source 
Deliver ISM kickstarts

Resolves: rhbz#1987227
Resolves: rhbz#1987226
Resolves: rhbz#1987231
Resolves: rhbz#1988289
Resolves: rhbz#1978290
This commit is contained in:
Matej Tyc 2021-08-17 12:40:02 +02:00
parent cae8e44f84
commit c9032c1d61
6 changed files with 1465 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch Normal file
View File

@ -0,0 +1,31 @@
From 8466dfa2e6f0f83e848f81f3fb57ee9d97c9e358 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 16 Aug 2021 15:26:00 +0200
Subject: [PATCH] Remove a spurious whitespace trim
The first line of the if- block ended up in the metadata comment.
---
.../disable_ctrlaltdel_reboot/bash/shared.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
index 4cbf5c8465..610da67668 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
@@ -1,8 +1,8 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
-{{%- if init_system == "systemd" -%}}
+{{% if init_system == "systemd" -%}}
systemctl disable --now ctrl-alt-del.target
systemctl mask --now ctrl-alt-del.target
-{{%- else -%}}
+{{%- else %}}
# If system does not contain control-alt-delete.override,
if [ ! -f /etc/init/control-alt-delete.override ]; then
# but does have control-alt-delete.conf file,
@@ -12,4 +12,4 @@ if [ ! -f /etc/init/control-alt-delete.override ]; then
fi
fi
sed -i 's,^exec.*$,exec /usr/bin/logger -p authpriv.notice -t init "Ctrl-Alt-Del was pressed and ignored",' /etc/init/control-alt-delete.override
-{{%- endif -%}}
+{{%- endif %}}

28
scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch Normal file
View File

@ -0,0 +1,28 @@
From 041c151df78653f807249cb7cc6cfc3f46a7b168 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 3 Aug 2021 16:50:23 +0200
Subject: [PATCH] add details about gpgkey package for rhel9
---
products/rhel9/product.yml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index 78c65fd805..4ceb332adf 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -13,10 +13,10 @@ init_system: "systemd"
dconf_gdm_dir: "distro.d"
# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
-pkg_release: ""
-pkg_version: ""
-aux_pkg_release: ""
-aux_pkg_version: ""
+pkg_release: "4ae0493b"
+pkg_version: "fd431d51"
+aux_pkg_release: "5b32db75"
+aux_pkg_version: "d4082792"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"

256
scap-security-guide-0.1.58-ism_ks-PR_7392.patch Normal file
View File

@ -0,0 +1,256 @@
From 86e1556555fde19d3b6bfa7e280c8d9faf6243d3 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 16 Aug 2021 13:08:10 +0200
Subject: [PATCH] Add ISM Official kickstarts
---
.../rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg | 116 ++++++++++++++++++
.../rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg | 116 ++++++++++++++++++
2 files changed, 232 insertions(+)
create mode 100644 products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
create mode 100644 products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
diff --git a/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
new file mode 100644
index 0000000000..d84d98b12d
--- /dev/null
+++ b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
@@ -0,0 +1,116 @@
+# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2021-08-16
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with Essential Eight profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_ism_o
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
new file mode 100644
index 0000000000..517919539a
--- /dev/null
+++ b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
@@ -0,0 +1,116 @@
+# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 9 Server
+# Version: 0.0.1
+# Date: 2021-08-16
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with Essential Eight profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon com_redhat_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_ism_o
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject

186
scap-security-guide-0.1.58-s390x_arch-PR_7385.patch Normal file
View File

@ -0,0 +1,186 @@
From cc74d1a5735272c7fe50bff4bb0c2fe049c1f868 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 12 Aug 2021 15:05:35 +0200
Subject: [PATCH 1/3] Add cpe platform for s390x arch
---
.../guide/system/bootloader-zipl/group.yml | 2 +-
shared/applicability/arch.yml | 12 +++++++
shared/applicability/general.yml | 5 ---
...oc_sys_kernel_osrelease_arch_not_s390x.xml | 22 ++-----------
.../proc_sys_kernel_osrelease_arch_s390x.xml | 33 +++++++++++++++++++
5 files changed, 48 insertions(+), 26 deletions(-)
create mode 100644 shared/applicability/arch.yml
create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
index 64c6c8dffbe..4f8ce753726 100644
--- a/linux_os/guide/system/bootloader-zipl/group.yml
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
@@ -8,4 +8,4 @@ description: |-
options to it.
The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
-platform: zipl
+platform: s390x_arch
diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml
new file mode 100644
index 00000000000..48b2aa3ef30
--- /dev/null
+++ b/shared/applicability/arch.yml
@@ -0,0 +1,12 @@
+cpes:
+
+ - not_s390x_arch:
+ name: "cpe:/a:not_s390x_arch"
+ title: "System architecture is not S390X"
+ check_id: proc_sys_kernel_osrelease_arch_not_s390x
+
+ - s390x_arch:
+ name: "cpe:/a:s390x_arch"
+ title: "System architecture is S390X"
+ check_id: proc_sys_kernel_osrelease_arch_s390x
+
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index 7382b7dd302..6e3ecfd9bf9 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -24,11 +24,6 @@ cpes:
title: "Package net-snmp is installed"
check_id: installed_env_has_net-snmp_package
- - not_s390x_arch:
- name: "cpe:/a:not_s390x_arch"
- title: "System architecture is not S390X"
- check_id: proc_sys_kernel_osrelease_arch_not_s390x
-
- nss-pam-ldapd:
name: "cpe:/a:nss-pam-ldapd"
title: "Package nss-pam-ldapd is installed"
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
index 1fc625a1e75..d95ce249c49 100644
--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
@@ -9,26 +9,8 @@
<description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x</description>
</metadata>
<criteria>
- <criterion comment="Architecture is not s390x"
- test_ref="test_proc_sys_kernel_osrelease_arch_s390x" negate="true"/>
+ <extend_definition comment="Architecture is not s390x"
+ definition_ref="proc_sys_kernel_osrelease_arch_s390x" negate="true"/>
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="proc_sys_kernel is for s390x architecture"
- id="test_proc_sys_kernel_osrelease_arch_s390x"
- version="1">
- <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
- <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
- <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
- <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
- <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
- </ind:textfilecontent54_state>
-
</def-group>
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
new file mode 100644
index 00000000000..abc6f1b0b88
--- /dev/null
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
@@ -0,0 +1,33 @@
+<def-group>
+ <definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
+ version="1">
+ <metadata>
+ <title>Test for different architecture than s390x</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Architecture is s390x"
+ test_ref="test_proc_sys_kernel_osrelease_arch_s390x" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="proc_sys_kernel is for s390x architecture"
+ id="test_proc_sys_kernel_osrelease_arch_s390x"
+ version="1">
+ <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
+ <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
+ <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
+ <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
+ <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
From 527728eb84fc152bec4ef49b244999f763dc901f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 12 Aug 2021 16:16:11 +0200
Subject: [PATCH 2/3] Remove zipl CPE platform
The package names for zipl changed recently.
As zipl is an s390 exclusive, lets use the arch check instead of
package name check.
---
shared/applicability/bootloaders.yml | 5 -----
1 file changed, 5 deletions(-)
diff --git a/shared/applicability/bootloaders.yml b/shared/applicability/bootloaders.yml
index 57832118447..6856578621c 100644
--- a/shared/applicability/bootloaders.yml
+++ b/shared/applicability/bootloaders.yml
@@ -4,8 +4,3 @@ cpes:
name: "cpe:/a:grub2"
title: "Package grub2 is installed"
check_id: installed_env_has_grub2_package
-
- - zipl:
- name: "cpe:/a:zipl"
- title: "System uses zipl"
- check_id: installed_env_has_zipl_package
From 985090ffcf34c1d27c526760ef5009605060b3f1 Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 19:53:59 +0200
Subject: [PATCH 3/3] Fix typo in check title
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
Co-authored-by: Jan Černý <jcerny@redhat.com>
---
shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
index abc6f1b0b88..7f416de6475 100644
--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
@@ -2,7 +2,7 @@
<definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
version="1">
<metadata>
- <title>Test for different architecture than s390x</title>
+ <title>Test that the architecture is s390x</title>
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>

942
scap-security-guide-0.1.58-various_fixes-PR_7335.patch Normal file
View File

@ -0,0 +1,942 @@
From 089c47d6301bb53bb182cbdacf72968979547994 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 30 Jul 2021 16:57:13 +0200
Subject: [PATCH 1/5] Enable more RHEL9 content
---
.../ssh/ssh_client/ssh_client_rekey_limit/rule.yml | 3 ++-
.../disable_ctrlaltdel_burstaction/bash/shared.sh | 2 +-
.../disable_ctrlaltdel_reboot/bash/shared.sh | 4 ----
.../smart_card_login/package_pcsc-lite_installed/rule.yml | 3 ++-
.../smart_card_login/service_pcscd_enabled/rule.yml | 3 ++-
.../root_logins/use_pam_wheel_for_su/rule.yml | 3 ++-
.../user_umask/accounts_umask_etc_csh_cshrc/rule.yml | 3 ++-
.../installed_OS_is_FIPS_certified/oval/shared.xml | 1 +
.../rule.yml | 3 ++-
products/rhel9/profiles/hipaa.profile | 6 +++---
products/rhel9/profiles/ospp.profile | 8 ++++----
products/rhel9/profiles/pci-dss.profile | 4 ++--
shared/references/cce-redhat-avail.txt | 6 ------
13 files changed, 23 insertions(+), 26 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
index f43f92c2f15..c0fbe2c5e34 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhel8,rhel9,rhcos4
title: 'Configure session renegotiation for SSH client'
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82880-6
+ cce@rhel9: CCE-87522-9
references:
disa: CCI-000068
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
index 7d4faedfb47..d8063726fb4 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
index 94767ad5993..4cbf5c84651 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
@@ -1,9 +1,5 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
{{%- if init_system == "systemd" -%}}
-{{% if product in ["rhel7", "rhel8"] %}}
-# The process to disable ctrl+alt+del has changed in RHEL7.
-# Reference: https://access.redhat.com/solutions/1123873
-{{% endif %}}
systemctl disable --now ctrl-alt-del.target
systemctl mask --now ctrl-alt-del.target
{{%- else -%}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
index 0652fbeadaf..9c6534cf401 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Install the pcsc-lite package'
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82347-6
cce@rhel8: CCE-80993-9
+ cce@rhel9: CCE-86280-5
references:
disa: CCI-001954
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
index e14db48c22a..6472ade5791 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Enable the pcscd Service'
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80569-7
cce@rhel8: CCE-80881-6
+ cce@rhel9: CCE-87907-2
references:
disa: CCI-001954
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
index a6862c2af25..984a8cf333e 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,ubuntu2004
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
title: 'Enforce usage of pam_wheel for su authentication'
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-85855-5
cce@rhel8: CCE-83318-6
+ cce@rhel9: CCE-90085-2
references:
cis@rhel7: "5.7"
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
index 1b71c7d3acd..3779b396b4e 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,sle15,ubuntu2004
+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15,ubuntu2004
title: 'Ensure the Default C Shell Umask is Set Correctly'
@@ -20,6 +20,7 @@ identifiers:
cce@rhcos4: CCE-84261-7
cce@rhel7: CCE-80203-3
cce@rhel8: CCE-81037-4
+ cce@rhel9: CCE-87721-7
references:
cis-csc: '18'
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
index a65bec7348c..3a4847ff9d8 100644
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
@@ -6,6 +6,7 @@
<criteria comment="Installed operating system is a certified operating system" operator="OR">
<extend_definition comment="Installed OS is RHEL7" definition_ref="installed_OS_is_rhel7" />
<extend_definition comment="Installed OS is RHEL8" definition_ref="installed_OS_is_rhel8" />
+ <!--extend_definition comment="Installed OS is RHEL9" definition_ref="installed_OS_is_rhel9" /-->
<extend_definition comment="Installed OS is RHCOS4" definition_ref="installed_OS_is_rhcos4" />
<extend_definition comment="Installed OS is OL7" definition_ref="installed_OS_is_ol7_family" />
<extend_definition comment="Installed OS is SLE12" definition_ref="installed_OS_is_sle12" />
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 8b6577226fb..4f49b3b825d 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8
+prodtype: rhel8,rhel9
title: 'Install dnf-plugin-subscription-manager Package'
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82315-3
+ cce@rhel9: CCE-89879-1
references:
ism: 0940,1144,1467,1472,1483,1493,1494,1495
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
index 1e0ea047b98..797c62708e2 100644
--- a/products/rhel9/profiles/hipaa.profile
+++ b/products/rhel9/profiles/hipaa.profile
@@ -33,9 +33,9 @@ selections:
- require_singleuser_auth
- restrict_serial_port_logins
- securetty_root_login_console_only
- - service_debug-shell_disabled # not supported in RHEL9 ATM
- - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
- - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM
+ - service_debug-shell_disabled
+ - disable_ctrlaltdel_reboot
+ - disable_ctrlaltdel_burstaction
- dconf_db_up_to_date
- dconf_gnome_remote_access_credential_prompt
- dconf_gnome_remote_access_encryption
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 0ae391c60bf..adec0cbd774 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -107,7 +107,7 @@ selections:
- var_accounts_user_umask=027
- accounts_umask_etc_profile
- accounts_umask_etc_bashrc
-# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM
+ - accounts_umask_etc_csh_cshrc
### Software update
- ensure_redhat_gpgkey_installed
@@ -177,7 +177,7 @@ selections:
- package_aide_installed
- package_dnf-automatic_installed
- package_subscription-manager_installed
-# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM
+ - package_dnf-plugin-subscription-manager_installed
- package_firewalld_installed
- package_openscap-scanner_installed
- package_policycoreutils_installed
@@ -221,7 +221,7 @@ selections:
- securetty_root_login_console_only
- var_password_pam_unix_remember=5
- accounts_password_pam_unix_remember
-# - use_pam_wheel_for_su # not supported in RHEL9 ATM
+ - use_pam_wheel_for_su
### SELinux Configuration
- var_selinux_state=enforcing
@@ -422,7 +422,7 @@ selections:
- kerberos_disable_no_keytab
# set ssh client rekey limit
-# - ssh_client_rekey_limit # not supported in RHEL9 ATM
+ - ssh_client_rekey_limit
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
index af347501989..1fe85d39ae0 100644
--- a/products/rhel9/profiles/pci-dss.profile
+++ b/products/rhel9/profiles/pci-dss.profile
@@ -121,8 +121,8 @@ selections:
- var_smartcard_drivers=cac
- configure_opensc_card_drivers
- force_opensc_card_drivers
-# - package_pcsc-lite_installed # not supported in RHEL9 ATM
-# - service_pcscd_enabled # not supported in RHEL9 ATM
+ - package_pcsc-lite_installed
+ - service_pcscd_enabled
- sssd_enable_smartcards
- set_password_hashing_algorithm_systemauth
- set_password_hashing_algorithm_logindefs
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index aa0b30da834..e78838a45aa 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -396,7 +396,6 @@ CCE-86276-3
CCE-86277-1
CCE-86278-9
CCE-86279-7
-CCE-86280-5
CCE-86281-3
CCE-86282-1
CCE-86283-9
@@ -1618,7 +1617,6 @@ CCE-87518-7
CCE-87519-5
CCE-87520-3
CCE-87521-1
-CCE-87522-9
CCE-87523-7
CCE-87525-2
CCE-87526-0
@@ -1812,7 +1810,6 @@ CCE-87717-5
CCE-87718-3
CCE-87719-1
CCE-87720-9
-CCE-87721-7
CCE-87722-5
CCE-87723-3
CCE-87724-1
@@ -1994,7 +1991,6 @@ CCE-87903-1
CCE-87904-9
CCE-87905-6
CCE-87906-4
-CCE-87907-2
CCE-87908-0
CCE-87909-8
CCE-87910-6
@@ -3932,7 +3928,6 @@ CCE-89874-2
CCE-89875-9
CCE-89877-5
CCE-89878-3
-CCE-89879-1
CCE-89880-9
CCE-89881-7
CCE-89882-5
@@ -4135,7 +4130,6 @@ CCE-90081-1
CCE-90082-9
CCE-90083-7
CCE-90084-5
-CCE-90085-2
CCE-90086-0
CCE-90087-8
CCE-90088-6
From 190cad8bc4ef957583b9e29c1508a1be43660388 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 4 Aug 2021 16:30:45 +0200
Subject: [PATCH 2/5] Fix remediation platforms of RHEL9 rules
---
.../configure_bashrc_exec_tmux/bash/shared.sh | 2 +-
.../configure_tmux_lock_after_time/bash/shared.sh | 2 +-
.../configure_tmux_lock_command/bash/shared.sh | 2 +-
.../console_screen_locking/no_tmux_in_shells/bash/shared.sh | 2 +-
.../software/integrity/fips/enable_fips_mode/bash/shared.sh | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
index 0c544bfbb82..737d725872d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
cat >> /etc/bashrc <<'EOF'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
index 233047afcbc..947e1dd7ee5 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
tmux_conf="/etc/tmux.conf"
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
index f2430618ab3..0c11c1224e2 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora
+# platform = multi_platform_all
tmux_conf="/etc/tmux.conf"
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
index 45c43e8d374..60e0a7e34c8 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
if grep -q 'tmux$' /etc/shells ; then
sed -i '/tmux$/d' /etc/shells
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
index 87476a7b315..c98847ded72 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
@@ -1,3 +1,3 @@
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
+# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
fips-mode-setup --enable
From 5b23f796b261325ad27b3c1684d3c9430a42679f Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 4 Aug 2021 17:56:57 +0200
Subject: [PATCH 3/5] Update the grub config path
RHEL9 and Fedora EFI/legacy grub paths have been unified:
https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
The location of Ubuntu EFI grub paths has been estimated from
https://askubuntu.com/questions/1028742/update-grub-does-not-update-boot-efi-efi-ubuntu-grub-cfg
Location of SLE EFI grub paths has been taken from existing rules
---
.../grub2_uefi_admin_username/oval/shared.xml | 16 ++++---------
.../uefi/grub2_uefi_admin_username/rule.yml | 2 +-
.../uefi/grub2_uefi_password/oval/shared.xml | 24 +++++++------------
.../uefi/grub2_uefi_password/rule.yml | 10 ++++----
.../uefi_no_removeable_media/oval/shared.xml | 16 ++++---------
products/fedora/product.yml | 2 ++
products/rhel7/product.yml | 2 ++
products/rhel8/product.yml | 2 ++
products/rhel9/product.yml | 2 ++
products/sle12/product.yml | 2 ++
products/sle15/product.yml | 1 +
products/ubuntu1604/product.yml | 1 +
products/ubuntu1804/product.yml | 1 +
products/ubuntu2004/product.yml | 1 +
ssg/constants.py | 1 +
ssg/products.py | 4 ++++
tests/shared/grub2.sh | 10 +++++---
17 files changed, 50 insertions(+), 47 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
index 8545e8ab2c7..7950c15a848 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
@@ -1,26 +1,20 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="grub2_uefi_admin_username" version="1">
{{{ oval_metadata("The grub2 boot loader superuser should have a username that is hard to guess.") }}}
<criteria operator="OR">
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
- <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
+ <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
</criteria>
</definition>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
<ind:object object_ref="object_bootloader_uefi_unique_superuser" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_bootloader_uefi_unique_superuser" version="1">
- <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 8a98cbdc95f..128d7cc1cb8 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -20,7 +20,7 @@ description: |-
Once the superuser account has been added,
update the
<tt>grub.cfg</tt> file by running:
- <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre>
+ <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
index 230aab73139..a67c8ad99bb 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
@@ -1,32 +1,26 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="grub2_uefi_password" version="1">
{{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}}
<criteria operator="OR">
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
<criteria operator="AND">
<criteria comment="check both files to account for procedure change in documenation" operator="OR">
- <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
- <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
+ <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
+ <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
</criteria>
- <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
+ <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
</criteria>
</criteria>
</definition>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
<ind:object object_ref="object_bootloader_uefi_superuser" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_bootloader_uefi_superuser" version="2">
- <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -35,7 +29,7 @@
<ind:object object_ref="object_grub2_uefi_password_usercfg" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_grub2_uefi_password_usercfg" version="1">
- <ind:filepath>{{{ grub_cfg_prefix }}}/user.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/user.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -44,7 +38,7 @@
<ind:object object_ref="object_grub2_uefi_password_grubcfg" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_grub2_uefi_password_grubcfg" version="1">
- <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index cb0d60c3ddf..cc68441e5ad 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -31,10 +31,8 @@ description: |-
<tt>grub.cfg</tt> file by running:
{{% if "ubuntu" in product %}}
<pre>update-grub</pre>
- {{% elif product in ["sle12", "sle15"] %}}
- <pre>grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg</pre>
{{% else %}}
- <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre>
+ <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
{{% endif %}}
rationale: |-
@@ -91,18 +89,18 @@ ocil: |-
To verify the boot loader superuser account password has been set,
and the password encrypted, run the following command:
{{% if product in ["sle12", "sle15"] %}}
- <pre>sudo cat /boot/efi/EFI/sles/grub.cfg</pre>
+ <pre>sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should be similar to:
<pre>password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
{{% elif "ubuntu" in product %}}
- <pre>grep -i password /boot/grub/grub.cfg</pre>
+ <pre>grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should contain something similar to:
<pre>password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG</pre>
{{% else %}}
- <pre>sudo cat /boot/efi/EFI/redhat/user.cfg</pre>
+ <pre>sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg</pre>
The output should be similar to:
<pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
index 72872d907e3..89a9fae86ec 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
@@ -1,27 +1,21 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="uefi_no_removeable_media" version="1">
{{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
<criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
- <criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
+ <criterion comment="Check the set root in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="tests the value of set root setting in the {{{ grub_cfg_prefix + "/grub.cfg" }}} file"
+ comment="tests the value of set root setting in the {{{ grub2_uefi_boot_path + "/grub.cfg" }}} file"
id="test_uefi_no_removeable_media" version="1">
<ind:object object_ref="obj_uefi_no_removeable_media" />
<ind:state state_ref="state_uefi_no_removeable_media" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_uefi_no_removeable_media" version="1">
- <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
<ind:pattern operation="pattern match">^[ \t]*set root=(.+?)[ \t]*(?:$|#)</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -30,5 +24,5 @@
<ind:subexpression datatype="string" operation="pattern match">^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$</ind:subexpression>
</ind:textfilecontent54_state>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
</def-group>
diff --git a/products/fedora/product.yml b/products/fedora/product.yml
index 0cb53c5331e..ea8e98eea78 100644
--- a/products/fedora/product.yml
+++ b/products/fedora/product.yml
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
init_system: "systemd"
+grub2_boot_path: "/boot/grub2"
+
dconf_gdm_dir: "distro.d"
cpes_root: "../../shared/applicability"
diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
index fb5d17786da..6438797f218 100644
--- a/products/rhel7/product.yml
+++ b/products/rhel7/product.yml
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
+
cpes_root: "../../shared/applicability"
cpes:
- rhel7:
diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
index 78c987b2457..f6d2102558d 100644
--- a/products/rhel8/product.yml
+++ b/products/rhel8/product.yml
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
+
cpes_root: "../../shared/applicability"
cpes:
- rhel8:
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index 4ceb332adf3..6b5a15d5cee 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
init_system: "systemd"
+grub2_boot_path: "/boot/grub2"
+
dconf_gdm_dir: "distro.d"
# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
diff --git a/products/sle12/product.yml b/products/sle12/product.yml
index d1301a17f91..b9e44e0725c 100644
--- a/products/sle12/product.yml
+++ b/products/sle12/product.yml
@@ -12,6 +12,8 @@ pkg_manager: "zypper"
pkg_manager_config_file: "/etc/zypp/zypp.conf"
oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/sles"
+
cpes_root: "../../shared/applicability"
cpes:
- sle12-server:
diff --git a/products/ubuntu1604/product.yml b/products/ubuntu1604/product.yml
index 827a875d493..36ec98397f6 100644
--- a/products/ubuntu1604/product.yml
+++ b/products/ubuntu1604/product.yml
@@ -12,6 +12,7 @@ init_system: "systemd"
oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/products/ubuntu1804/product.yml b/products/ubuntu1804/product.yml
index 68922441a2a..f1671b8d7dd 100644
--- a/products/ubuntu1804/product.yml
+++ b/products/ubuntu1804/product.yml
@@ -11,6 +11,7 @@ pkg_manager: "apt_get"
init_system: "systemd"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
index 15565b6748f..d75624d70a3 100644
--- a/products/ubuntu2004/product.yml
+++ b/products/ubuntu2004/product.yml
@@ -12,6 +12,7 @@ init_system: "systemd"
oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/ssg/constants.py b/ssg/constants.py
index 666d7a4d3c8..f9c978a22a2 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -383,4 +383,5 @@
# Application constants
DEFAULT_UID_MIN = 1000
DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2'
+DEFAULT_GRUB2_UEFI_BOOT_PATH = '/boot/grub2'
DEFAULT_DCONF_GDM_DIR = 'gdm.d'
diff --git a/ssg/products.py b/ssg/products.py
index 25178b741b2..fb55f5c2f4b 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -9,6 +9,7 @@
from .constants import (product_directories,
DEFAULT_UID_MIN,
DEFAULT_GRUB2_BOOT_PATH,
+ DEFAULT_GRUB2_UEFI_BOOT_PATH,
DEFAULT_DCONF_GDM_DIR,
PKG_MANAGER_TO_SYSTEM,
PKG_MANAGER_TO_CONFIG_FILE,
@@ -48,6 +49,9 @@ def _get_implied_properties(existing_properties):
if "grub2_boot_path" not in existing_properties:
result["grub2_boot_path"] = DEFAULT_GRUB2_BOOT_PATH
+ if "grub2_uefi_boot_path" not in existing_properties:
+ result["grub2_uefi_boot_path"] = DEFAULT_GRUB2_UEFI_BOOT_PATH
+
if "dconf_gdm_dir" not in existing_properties:
result["dconf_gdm_dir"] = DEFAULT_DCONF_GDM_DIR
diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
index bce7683a7c1..f024b3766cf 100644
--- a/tests/shared/grub2.sh
+++ b/tests/shared/grub2.sh
@@ -2,9 +2,13 @@ test -n "$GRUB_CFG_ROOT" || GRUB_CFG_ROOT=/boot/grub2
function set_grub_uefi_root {
if grep NAME /etc/os-release | grep -iq fedora; then
- GRUB_CFG_ROOT=/boot/efi/EFI/fedora
- else
- GRUB_CFG_ROOT=/boot/efi/EFI/redhat
+ GRUB_CFG_ROOT=/boot/grub2
+ elif grep NAME /etc/os-release | grep -iq "Red Hat"; then
+ if grep VERSION /etc/os-release | grep -q '9\.0'; then
+ GRUB_CFG_ROOT=/boot/grub2
+ else
+ GRUB_CFG_ROOT=/boot/efi/EFI/redhat
+ fi
fi
}
From a838226fc6b082ab73990613294328db49463c2b Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 5 Aug 2021 17:59:39 +0200
Subject: [PATCH 4/5] Add the sshd directory configuration rule
Remediations of other sshd rules assumes that sshd is configured using
multiple files as opposed to one huge file, and this rule
makes sure that the assumption is guarded.
---
controls/anssi.yml | 3 +++
products/rhel9/profiles/cis.profile | 2 ++
products/rhel9/profiles/cjis.profile | 1 +
products/rhel9/profiles/e8.profile | 1 +
products/rhel9/profiles/hipaa.profile | 1 +
products/rhel9/profiles/ism_o.profile | 1 +
products/rhel9/profiles/ospp.profile | 1 +
products/rhel9/profiles/pci-dss.profile | 1 +
products/rhel9/profiles/rht-ccp.profile | 1 +
9 files changed, 12 insertions(+)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 7737e67ea51..eee79cf1ef7 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -384,6 +384,9 @@ controls:
- package_sudo_installed
- audit_rules_privileged_commands_sudo
+ # This rule should be present in the profile at least once
+ - sshd_use_directory_configuration
+
- id: R20
levels:
- enhanced
diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
index 622f88e3766..8d7816e5e2d 100644
--- a/products/rhel9/profiles/cis.profile
+++ b/products/rhel9/profiles/cis.profile
@@ -791,6 +791,8 @@ selections:
- file_permissions_sshd_pub_key
# TO DO: check owner of pub keys in /etc/ssh is root:root
+ # Ensure that the configuration is done the right way
+ - sshd_use_directory_configuration
### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
- sshd_set_loglevel_info
diff --git a/products/rhel9/profiles/cjis.profile b/products/rhel9/profiles/cjis.profile
index b45ba19d84f..0aaf7cb0206 100644
--- a/products/rhel9/profiles/cjis.profile
+++ b/products/rhel9/profiles/cjis.profile
@@ -98,6 +98,7 @@ selections:
- dconf_gnome_screensaver_idle_activation_enabled
- dconf_gnome_screensaver_lock_enabled
- dconf_gnome_screensaver_mode_blank
+ - sshd_use_directory_configuration
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile
index 6d87a778eee..3851255ccec 100644
--- a/products/rhel9/profiles/e8.profile
+++ b/products/rhel9/profiles/e8.profile
@@ -126,6 +126,7 @@ selections:
- audit_rules_kernel_module_loading
### Secure access
+ - sshd_use_directory_configuration
- sshd_disable_root_login
- sshd_disable_gssapi_auth
- sshd_print_last_log
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
index 797c62708e2..d1dc18ba33c 100644
--- a/products/rhel9/profiles/hipaa.profile
+++ b/products/rhel9/profiles/hipaa.profile
@@ -39,6 +39,7 @@ selections:
- dconf_db_up_to_date
- dconf_gnome_remote_access_credential_prompt
- dconf_gnome_remote_access_encryption
+ - sshd_use_directory_configuration
- sshd_disable_empty_passwords
- sshd_disable_root_login
- libreswan_approved_tunnels
diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile
index 82e863ad3d3..6fc919da128 100644
--- a/products/rhel9/profiles/ism_o.profile
+++ b/products/rhel9/profiles/ism_o.profile
@@ -56,6 +56,7 @@ selections:
## Authentication hardening
## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
+ - sshd_use_directory_configuration
- sshd_max_auth_tries_value=5
- disable_host_auth
- require_emergency_target_auth
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index adec0cbd774..08ffcccd9e2 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -58,6 +58,7 @@ selections:
### Services
# sshd
+ - sshd_use_directory_configuration
- sshd_disable_root_login
- sshd_enable_strictmodes
- disable_host_auth
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
index 1fe85d39ae0..bd16dc97721 100644
--- a/products/rhel9/profiles/pci-dss.profile
+++ b/products/rhel9/profiles/pci-dss.profile
@@ -105,6 +105,7 @@ selections:
- dconf_gnome_screensaver_idle_activation_enabled
- dconf_gnome_screensaver_lock_enabled
- dconf_gnome_screensaver_mode_blank
+ - sshd_use_directory_configuration
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
- accounts_password_pam_minlen
diff --git a/products/rhel9/profiles/rht-ccp.profile b/products/rhel9/profiles/rht-ccp.profile
index e1d9a70b493..8576975aa54 100644
--- a/products/rhel9/profiles/rht-ccp.profile
+++ b/products/rhel9/profiles/rht-ccp.profile
@@ -87,6 +87,7 @@ selections:
- service_telnet_disabled
- package_telnet-server_removed
- package_telnet_removed
+ - sshd_use_directory_configuration
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
From 470e496f8335c0d017bc82646537b03947b71941 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 11 Aug 2021 16:43:00 +0200
Subject: [PATCH 5/5] Reflect fusion of rhel9 packages
Packages dnf-plugin-subscription-manager and subscription-manager are
merged to subscription-manager in RHEL9 - see
https://bugzilla.redhat.com/show_bug.cgi?id=1847910#c2
---
.../rule.yml | 3 +--
.../package_subscription-manager_installed/rule.yml | 9 ++++++++-
products/rhel9/profiles/ospp.profile | 1 -
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 4f49b3b825d..8b6577226fb 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhel9
+prodtype: rhel8
title: 'Install dnf-plugin-subscription-manager Package'
@@ -17,7 +17,6 @@ severity: medium
identifiers:
cce@rhel8: CCE-82315-3
- cce@rhel9: CCE-89879-1
references:
ism: 0940,1144,1467,1472,1483,1493,1494,1495
diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
index b90a7588270..32e5ce9a129 100644
--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
@@ -12,7 +12,14 @@ rationale: |-
and subscriptions on a local system to help manage subscription assignments.
It communicates with the backend subscription service (the Customer Portal
or an on-premise server such as Subscription Asset Manager) and works with
- content management tools such as yum.
+ content management tools such as {{{ package_manager }}}.
+
+ {{% if product in ["rhel9"] %}}
+ The package provides, among other things, {{{ package_manager }}} plugins
+ to interact with repositories and subscriptions
+ from the Red Hat entitlement platform - the subscription-manager and
+ product-id plugins.
+ {{% endif %}}
severity: medium
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 08ffcccd9e2..1b060c7bf07 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -178,7 +178,6 @@ selections:
- package_aide_installed
- package_dnf-automatic_installed
- package_subscription-manager_installed
- - package_dnf-plugin-subscription-manager_installed
- package_firewalld_installed
- package_openscap-scanner_installed
- package_policycoreutils_installed

23
scap-security-guide.spec
View File

@ -5,7 +5,7 @@
Name: scap-security-guide Name: scap-security-guide
Version: 0.1.57 Version: 0.1.57
Release: 2%{?dist} Release: 3%{?dist}
Summary: Security guidance and baselines in SCAP formats Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/ URL: https://github.com/ComplianceAsCode/content/
@ -15,6 +15,11 @@ BuildArch: noarch
Patch0: scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch Patch0: scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch
Patch1: scap-security-guide-0.1.58-sshd_directory-PR_6926.patch Patch1: scap-security-guide-0.1.58-sshd_directory-PR_6926.patch
Patch2: scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch Patch2: scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch
Patch3: scap-security-guide-0.1.58-various_fixes-PR_7335.patch
Patch4: scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch
Patch5: scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch
Patch6: scap-security-guide-0.1.58-s390x_arch-PR_7385.patch
Patch7: scap-security-guide-0.1.58-ism_ks-PR_7392.patch
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: expat BuildRequires: expat
@ -101,6 +106,22 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif %endif
%changelog %changelog
* Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
- Use SSHD directory-based configuration.
Resolves: rhbz#1962564
- Introduce ISM kickstarts
Resolves: rhbz#1978290
- Deliver numerous RHEL9 fixes to rules - see related BZs for details.
TLDR: Enable remediations by means of platform metadata,
enable the RHEL9 GPG rule, introduce the s390x platform,
fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
address the subscription-manager package merge, and
enable and select more rules applicable to RHEL9.
Resolves: rhbz#1987227
Resolves: rhbz#1987226
Resolves: rhbz#1987231
Resolves: rhbz#1988289
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.57-2 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.57-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688