rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to a new upstream release

Browse Source 
Resolves: rhbz#1962564
This commit is contained in:
Matej Tyc 2021-07-28 18:06:40 +02:00
parent dfed54b246
commit dac4498bd5
13 changed files with 86 additions and 15049 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -39,3 +39,4 @@
/scap-security-guide-0.1.53.tar.bz2
/scap-security-guide-0.1.54.tar.bz2
/scap-security-guide-0.1.56.tar.bz2
/scap-security-guide-0.1.57.tar.bz2

693
scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch
View File

@ -1,693 +0,0 @@
From 6006e997000ab19aa59df24b074feb285ec4e586 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 11 May 2021 17:14:24 +0200
Subject: [PATCH 1/6] Update ANSSI metadata for High level hardening
---
controls/anssi.yml | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 2053de05c0..e9b9f1b803 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -70,6 +70,10 @@ controls:
It is recommended to use the mandatory access control (MAC) features in
addition to the traditional Unix user model (DAC), or possibly combine
them with partitioning mechanisms.
+ notes: >-
+ Other partitioning mechanisms can include chroot and containers and are not contemplated
+ in this requirement.
+ automated: partially
rules:
- selinux_state
- var_selinux_state=enforcing
@@ -161,6 +165,7 @@ controls:
The iommu = force directive must be added to the list of kernel parameters
during startup in addition to those already present in the configuration
files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).
+ automated: yes
rules:
- grub2_enable_iommu_force
@@ -837,8 +842,8 @@ controls:
not locally stored in clear), or possibly stored on a separate machine
of the one on which the sealing is done.
Check section "Database and config signing in AIDE manual"
- https://github.com/aide/aide/blob/master/doc/manual.html
- # rules: TBD
+ https://aide.github.io/doc/#signing
+ automated: no
- id: R53
level: enhanced
@@ -946,7 +951,7 @@ controls:
title: Enable AppArmor security profiles
description: >-
All AppArmor security profiles on the system must be enabled by default.
- # rules: TBD
+ automated: no
- id: R66
level: high
@@ -990,6 +995,7 @@ controls:
description: >-
SELinux policy manipulation and debugging tools should not be installed
on a machine in production.
+ automated: yes
rules:
- package_setroubleshoot_removed
- package_setroubleshoot-server_removed
@@ -1000,4 +1006,5 @@ controls:
title: Confining interactive non-privileged users
description: >-
Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user.
- # rules: TBD
+ notes: Interactive users who still need to perform administrative tasks should not be confined with user_u.
+ automated: no
From 98c310f893c31fb828c7ee17f9f8c7f7f11dde7a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 11 May 2021 17:31:11 +0200
Subject: [PATCH 2/6] Update metadata of other ANSSI hardening levels
---
controls/anssi.yml | 91 ++++++++++++++++++++++++++++++++++++++--------
1 file changed, 75 insertions(+), 16 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index e9b9f1b803..291af65f58 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -19,8 +19,10 @@ controls:
Those whose presence can not be justified should be disabled, removed or deleted.
automated: partially # The list of essential services is not objective.
notes: >-
- Use of obsolete or insecure services is not recommended.
- The minimal install is a good starting point, but this doesn't provide any assurance over any package installed later.
+ Manual review is required to assess if the installed services are minimal.
+ In general, use of obsolete or insecure services is not recommended.
+ Performing a minimal install is a good starting point, but doesn't provide any assurance
+ over any package installed later.
rules:
- package_dhcp_removed
#- package_rsh_removed
@@ -45,10 +47,9 @@ controls:
problematic from a security point of view.
The features configured at the level of launched services should be limited to the strict
minimum.
+ automated: no
notes: >-
Define a list of most problematic components or features to be hardened or restricted.
- # potential components: sshd, pam, chrony?
- # rules: TBD
- id: R3
level: enhanced
@@ -109,7 +110,10 @@ controls:
Network services should as much as possible be hosted on isolated environments.
This avoids having other potentially affected services if one of them gets
compromised under the same environment.
- #rules: TBD
+ notes: >-
+ Manual analysis is required to determine if services are hosted appropriately in
+ separate or isolated system while maintaining functionality.
+ automated: no
- id: R7
level: enhanced
@@ -117,6 +121,7 @@ controls:
description: >-
The activities of the running system and services must be logged and
archived on an external, non-local system.
+ automated: yes
rules:
# The default remote loghost is logcollector.
# Change the default value to the hostname or IP of the system to send the logs to
@@ -235,6 +240,7 @@ controls:
notes: >-
The rule disabling auto-mount for /boot is commented until the rules checking for other
/boot mount options are updated to handle this usecase.
+ automated: no
#rules:
#- mount_option_boot_noauto
@@ -275,7 +281,7 @@ controls:
hardening measures.
Between two packages providing the same service, those subject to hardening
(at compilation, installation, or default configuration) must be preferred.
- #rules: TBD
+ automated: no
- id: R17
level: enhanced
@@ -283,6 +289,7 @@ controls:
description: >-
A boot loader to protect the password boot must be to be privileged.
This password must prevent any user from changing their configuration options.
+ automated: yes # without remediation
rules:
- grub2_password
- grub2_uefi_password
@@ -358,12 +365,28 @@ controls:
must be set up as soon as the system is installed: account and administration
passwords, root authority certificates, public keys, or certificates of the
host (and their respective private key).
- # rules: TBD
+ notes: >-
+ This concerns two aspects, the first is administrative, and involves prompt
+ installation of secrets or trusted elements by the sysadmin.
+ The second involves removal of any default secret or trusted element
+ configured by the operating system during install process, e.g. default
+ known passwords.
+ automated: no
- id: R21
level: intermediary
title: Hardening and monitoring of services subject to arbitrary flows
- # rules: TBD
+ notes: >-
+ SELinux can provide confinement and monitoring of services, and AIDE provides
+ basic integrity checking. System logs are configured as part of R43.
+ Hardening of particular services should be done on a case by case basis and is
+ not automated by this content.
+ automated: partially
+ rules:
+ - selinux_state
+ - var_selinux_state=enforcing
+ - package_aide_installed
+ - aide_build_database
- id: R22
level: intermediary
@@ -535,6 +558,7 @@ controls:
sysctl kernel.modules_disabledconf:
Prohibition of loading modules (except those already loaded to this point)
kernel.modules_disabled = 1
+ automated: yes # without remediation
rules:
- sysctl_kernel_modules_disabled
@@ -545,6 +569,7 @@ controls:
It is recommended to load the Yama security module at startup (by example
passing the security = yama argument to the kernel) and configure the
sysctl kernel.yama.ptrace_scope to a value of at least 1.
+ automated: yes
rules:
- sysctl_kernel_yama_ptrace_scope
@@ -553,13 +578,19 @@ controls:
title: Disabling unused user accounts
description: >-
Unused user accounts must be disabled at the system level.
- # rules: TBD
+ notes: >-
+ The definition of unused user accounts is broad. It can include accounts
+ whose owners don't use the system anymore, or users created by services
+ or applicatons that should not be used.
+ automated: no
- id: R27
title: Disabling service accounts
level: intermediary
notes: >-
It is difficult to generally identify the system's service accounts.
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ are not enforced by the OS and can be changed over time.
Assisting rules could list users which are not disabled for manual review.
automated: no
@@ -568,7 +599,11 @@ controls:
title: Uniqueness and exclusivity of system service accounts
description: >-
Each service must have its own system account and be dedicated to it exclusively.
- # rules: TBD
+ notes: >-
+ It is not trivial to identify wether a user account is a service account.
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ are not enforced by the OS and can be changed over time.
+ automated: no
- id: R29
level: enhanced
@@ -778,6 +813,7 @@ controls:
description: >-
The syslog services must be isolated from the rest of the system in a
dedicated container.
+ automated: no
# rules: TBD
- id: R46
@@ -825,6 +861,7 @@ controls:
This includes: directories containing executables, libraries,
configuration files, as well as any files that may contain sensitive
elements (cryptographic keys, passwords, confidential data).
+ automated: yes
rules:
- package_aide_installed
- aide_build_database
@@ -851,7 +888,12 @@ controls:
description: >-
The deployed services must have their access restricted to the system
strict minimum, especially when it comes to files, processes or network.
- # rules: TBD
+ notes: >-
+ SELinux policies limit the privileges of services and daemons to only what they require.
+ automated: partially
+ rules:
+ - selinux_policytype
+ - var_selinux_policy_name=targeted
- id: R54
level: enhanced
@@ -859,17 +901,24 @@ controls:
description: >-
Each component supporting the virtualization must be hardened, especially
by applying technical measures to counter the exploit attempts.
- # rules: TBD
+ notes: >-
+ It may be interesting to point out virtulization components that are installed and
+ should be hardened.
+ automated: no
- id: R55
level: intermediary
title: chroot jail and access right for partitioned service
- # rules: TBD
+ notes: >-
+ Automation to restrict access and chroot services is not generally reliable.
+ autmated: no
- id: R56
level: intermediary
title: Enablement and usage of chroot by a service
- # rules: TBD
+ notes: >-
+ Automation to restrict access and chroot services is not generally reliable.
+ automated: no
- id: R57
level: intermediary
@@ -924,7 +973,10 @@ controls:
description: >-
The commands requiring the execution of sub-processes (EXEC tag) must be
explicitly listed and their use should be reduced to a strict minimum.
- # rules: TBD
+ notes: >-
+ Human review is required to assess if the commands requiring EXEC is minimal.
+ An auxiliary rule could list rules containing EXEC tag, for analysis.
+ automated: no
- id: R62
level: intermediary
@@ -944,7 +996,13 @@ controls:
- id: R64
level: intermediary
title: Good use of sudoedit
- # rules: TBD
+ description: A file requiring sudo to be edited, must be edited through the sudoedit command.
+ notes: >-
+ In R62 we established that the sudoers files should not use negations, thus the approach
+ for this requirement is to ensure that sudoedit is the only text editor allowed.
+ But it is difficult to ensure that allowed binaries aren't text editors without human
+ review.
+ automated: no
- id: R65
level: high
@@ -959,6 +1017,7 @@ controls:
description: >-
It is recommended to enable the targeted policy when the distribution
support it and that it does not operate another security module than SELinux.
+ automated: yes
rules:
- selinux_policytype
- var_selinux_policy_name=targeted
From 655c8ab2d778f0826cb9cb9f3052bb5d49fcbbc4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 11 May 2021 17:49:42 +0200
Subject: [PATCH 3/6] Undraft RHEL ANSSI High profiles
---
rhel7/profiles/anssi_nt28_high.profile | 2 +-
rhel8/profiles/anssi_bp28_high.profile | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
index 22efad9c09..560460b55f 100644
--- a/rhel7/profiles/anssi_nt28_high.profile
+++ b/rhel7/profiles/anssi_nt28_high.profile
@@ -1,6 +1,6 @@
documentation_complete: true
-title: 'DRAFT - ANSSI-BP-028 (high)'
+title: 'ANSSI-BP-028 (high)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index 22efad9c09..560460b55f 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -1,6 +1,6 @@
documentation_complete: true
-title: 'DRAFT - ANSSI-BP-028 (high)'
+title: 'ANSSI-BP-028 (high)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
From 227baf32a959a94df241f49016aa23da2917de88 Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Fri, 14 May 2021 10:58:50 +0200
Subject: [PATCH 4/6] Fix typos and improve language
Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
controls/anssi.yml | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 291af65f58..81d099e98b 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -581,7 +581,7 @@ controls:
notes: >-
The definition of unused user accounts is broad. It can include accounts
whose owners don't use the system anymore, or users created by services
- or applicatons that should not be used.
+ or applications that should not be used.
automated: no
- id: R27
@@ -589,7 +589,7 @@ controls:
level: intermediary
notes: >-
It is difficult to generally identify the system's service accounts.
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
are not enforced by the OS and can be changed over time.
Assisting rules could list users which are not disabled for manual review.
automated: no
@@ -600,8 +600,8 @@ controls:
description: >-
Each service must have its own system account and be dedicated to it exclusively.
notes: >-
- It is not trivial to identify wether a user account is a service account.
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ It is not trivial to identify whether a user account is a service account.
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
are not enforced by the OS and can be changed over time.
automated: no
@@ -889,7 +889,7 @@ controls:
The deployed services must have their access restricted to the system
strict minimum, especially when it comes to files, processes or network.
notes: >-
- SELinux policies limit the privileges of services and daemons to only what they require.
+ SELinux policies limit the privileges of services and daemons just to those which are required.
automated: partially
rules:
- selinux_policytype
@@ -902,7 +902,7 @@ controls:
Each component supporting the virtualization must be hardened, especially
by applying technical measures to counter the exploit attempts.
notes: >-
- It may be interesting to point out virtulization components that are installed and
+ It may be interesting to point out virtualization components that are installed and
should be hardened.
automated: no
@@ -910,14 +910,14 @@ controls:
level: intermediary
title: chroot jail and access right for partitioned service
notes: >-
- Automation to restrict access and chroot services is not generally reliable.
- autmated: no
+ Using automation to restrict access and chroot services is not generally reliable.
+ automated: no
- id: R56
level: intermediary
title: Enablement and usage of chroot by a service
notes: >-
- Automation to restrict access and chroot services is not generally reliable.
+ Using automation to restrict access and chroot services is not generally reliable.
automated: no
- id: R57
@@ -974,7 +974,7 @@ controls:
The commands requiring the execution of sub-processes (EXEC tag) must be
explicitly listed and their use should be reduced to a strict minimum.
notes: >-
- Human review is required to assess if the commands requiring EXEC is minimal.
+ Human review is required to assess if the set of commands requiring EXEC is minimal.
An auxiliary rule could list rules containing EXEC tag, for analysis.
automated: no
From 7bf2131e20bcf5a64e21b66afba48008324b058a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 14 May 2021 11:41:30 +0200
Subject: [PATCH 5/6] Update R1 notes and selected rule
---
controls/anssi.yml | 28 +++++++++----------
.../package_xinetd_removed/rule.yml | 1 +
.../nis/package_ypbind_removed/rule.yml | 1 +
.../nis/package_ypserv_removed/rule.yml | 1 +
.../package_rsh-server_removed/rule.yml | 1 +
.../r_services/package_rsh_removed/rule.yml | 1 +
.../talk/package_talk-server_removed/rule.yml | 1 +
.../talk/package_talk_removed/rule.yml | 1 +
.../package_telnet-server_removed/rule.yml | 1 +
.../telnet/package_telnet_removed/rule.yml | 1 +
.../tftp/package_tftp-server_removed/rule.yml | 1 +
.../tftp/package_tftp_removed/rule.yml | 4 +++
13 files changed, 28 insertions(+), 15 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 81d099e98b..ebee9c4259 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -19,25 +19,25 @@ controls:
Those whose presence can not be justified should be disabled, removed or deleted.
automated: partially # The list of essential services is not objective.
notes: >-
- Manual review is required to assess if the installed services are minimal.
- In general, use of obsolete or insecure services is not recommended.
Performing a minimal install is a good starting point, but doesn't provide any assurance
over any package installed later.
+ Manual review is required to assess if the installed services are minimal.
+ In general, use of obsolete or insecure services is not recommended and we remove some
+ of these in this recommendation.
rules:
- package_dhcp_removed
- #- package_rsh_removed
- #- package_rsh-server_removed
+ - package_rsh_removed
+ - package_rsh-server_removed
- package_sendmail_removed
- - package_telnetd_removed
- #- package_talk_removed
- #- package_talk-server_removed
- #- package_telnet_removed
- #- package_telnet-server_removed
- #- package_tftp_removed
- #- package_tftp-server_removed
- #- package_xinetd_removed
- #- package_ypbind_removed
- #- package_ypserv_removed
+ - package_talk_removed
+ - package_talk-server_removed
+ - package_telnet_removed
+ - package_telnet-server_removed
+# - package_tftp_removed
+ - package_tftp-server_removed
+ - package_xinetd_removed
+ - package_ypbind_removed
+ - package_ypserv_removed
- id: R2
level: intermediary
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
index e2431be9c5..9494025449 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel8: CCE-80850-1
references:
+ anssi: BP28(R1)
cis@rhel8: 2.1.1
disa: CCI-000305
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
index 97e27e2a4c..e836dc6fb1 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
@@ -24,6 +24,7 @@ identifiers:
cce@rhel8: CCE-82181-9
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.1
cis@rhel8: 2.3.1
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
index ac1d8e6f4c..7ca7a67e69 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
cce@rhel8: CCE-82432-6
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-020010
cis@rhel7: 2.2.16
cis@rhel8: 2.2.17
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
index 21f4d7bae6..33c36cde67 100644
--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
cce@rhel8: CCE-82184-3
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-020000
disa: CCI-000381
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
index c8f4673a3a..dbc6bd7329 100644
--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel8: CCE-82183-5
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.2
cui: 3.1.13
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
index 12971558e9..e46e4f55d0 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel8: CCE-82180-1
references:
+ anssi: BP28(R1)
cis@rhel7: 2.2.18
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
index 68e804ba38..24743fc2d6 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel8: CCE-80848-5
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.3
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
index 7bb5ed5da3..24cf50ff29 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -31,6 +31,7 @@ identifiers:
cce@sle15: CCE-83273-3
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-021710
cis@rhel7: 2.1.19
disa: CCI-000381
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
index 1b0128ec06..afef488734 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
cce@rhel8: CCE-80849-3
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.4
cis@rhel8: 2.3.2
cui: 3.1.13
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
index 3fcc8db4c8..ca25bb2124 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
cce@rhel8: CCE-82436-7
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-040700
disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814
nist: CM-7(a),CM-7(b),CM-6(a)
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
index c3a501259c..0be9a60d38 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
@@ -19,6 +19,10 @@ severity: low
identifiers:
cce@rhel7: CCE-80443-5
+ cce@rhel8: CCE-83590-0
+
+references:
+ anssi: BP28(R1)
ocil: '{{{ describe_package_remove(package="tftp") }}}'
From c8124b72c208951b3ac2a4da1f8c64157f6be69b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 14 May 2021 11:43:32 +0200
Subject: [PATCH 6/6] Update R5 notes and rule selection
Note commented rules as related, and potentially useful.
---
controls/anssi.yml | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index ebee9c4259..bba7148da9 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -88,20 +88,22 @@ controls:
automated: partially
notes: >-
Defense in-depth can be broadly divided into three areas - physical, technical and
- administrative. The security profile is best suitedto protect the technical area.
+ administrative. The security profile is best suited to protect the technical area.
Among the barriers that can be implemented within the technical area are antivirus software,
authentication, multi-factor authentication, encryption, logging, auditing, sandboxing,
intrusion detection systems, firewalls and vulnerability scanners.
+ The selection below is not in any way exaustive and should be adapted to the system's needs.
rules:
- #- package_audit_installed
- #- service_auditd_enabled
- sudo_remove_no_authenticate
- package_rsyslog_installed
- service_rsyslog_enabled
- #- package_ntp_installed
- #- package_firewalld_installed
- #- service_firewalld_enabled
- #- sssd_enable_smartcards
+ related_rules:
+ - package_audit_installed
+ - service_auditd_enabled
+ - package_ntp_installed
+ - package_firewalld_installed
+ - service_firewalld_enabled
+ - sssd_enable_smartcards
- id: R6
level: enhanced

477
scap-security-guide-0.1.57-build-system-pr-7025.patch
View File

@ -1,477 +0,0 @@
From aae5be64cdeb4a41caa3f3273342373cc4f4e9b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 19 May 2021 18:01:14 +0200
Subject: [PATCH 1/4] Add options for building Ansible and Bash content
This patch adds 2 new options SSG_ANSIBLE_PLAYBOOKS_ENABLED and
SSG_BASH_SCRIPTS_ENABLED which will allow user to turn on or off
building and installing profile Bash remediation scripts and profile
Ansible Playbooks. They are enabled by default, therefore the default
behavior doesn't change, but people can turn them off to speed up the
build. These options can be useful when calling cmake in downstream spec
files.
---
CMakeLists.txt | 4 +++
cmake/SSGCommon.cmake | 60 +++++++++++++++++++++++--------------------
2 files changed, 36 insertions(+), 28 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 32a0ddd240a..c309efde9bd 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -46,6 +46,8 @@ option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck vali
option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE)
option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
+option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE)
+option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE)
option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
@@ -240,6 +242,8 @@ message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENA
message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}")
message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}")
message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
+message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}")
+message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}")
if (SSG_JINJA2_CACHE_ENABLED)
message(STATUS "jinja2 cache: enabled")
message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}")
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index 889c0cf1d3c..9b109f86b9f 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -789,7 +789,7 @@ macro(ssg_build_product PRODUCT)
add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml")
- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED)
add_dependencies(
${PRODUCT}-content
generate-${PRODUCT}-ansible-playbooks
@@ -803,7 +803,7 @@ macro(ssg_build_product PRODUCT)
add_dependencies(zipfile ${PRODUCT}-profile-playbooks)
endif()
- if ("${PRODUCT_BASH_REMEDIATION_ENABLED}")
+ if ("${PRODUCT_BASH_REMEDIATION_ENABLED}" AND SSG_BASH_SCRIPTS_ENABLED)
ssg_build_profile_bash_scripts(${PRODUCT})
add_custom_target(
${PRODUCT}-profile-bash-scripts
@@ -873,30 +873,34 @@ macro(ssg_build_product PRODUCT)
endif()
"
)
- install(
- CODE "
- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/ansible/${PRODUCT}-playbook-*.yml\") \n
- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR})
- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\"
- TYPE FILE FILES \${ROLE_FILES})
- else()
- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\"
- TYPE FILE FILES \${ROLE_FILES})
- endif()
- "
- )
- install(
- CODE "
- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/bash/${PRODUCT}-script-*.sh\") \n
- if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR})
- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\"
- TYPE FILE FILES \${ROLE_FILES})
- else()
- file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\"
- TYPE FILE FILES \${ROLE_FILES})
- endif()
- "
- )
+ if(SSG_ANSIBLE_PLAYBOOKS_ENABLED)
+ install(
+ CODE "
+ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/ansible/${PRODUCT}-playbook-*.yml\") \n
+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR})
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\"
+ TYPE FILE FILES \${ROLE_FILES})
+ else()
+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\"
+ TYPE FILE FILES \${ROLE_FILES})
+ endif()
+ "
+ )
+ endif()
+ if(SSG_BASH_SCRIPTS_ENABLED)
+ install(
+ CODE "
+ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/bash/${PRODUCT}-script-*.sh\") \n
+ if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR})
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\"
+ TYPE FILE FILES \${ROLE_FILES})
+ else()
+ file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\"
+ TYPE FILE FILES \${ROLE_FILES})
+ endif()
+ "
+ )
+ endif()
# grab all the kickstarts (if any) and install them
file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg")
@@ -968,7 +972,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
ssg_build_html_guides(${DERIVATIVE})
- if ("${PRODUCT_BASH_REMEDIATION_ENABLED}")
+ if ("${PRODUCT_BASH_REMEDIATION_ENABLED}" AND SSG_BASH_SCRIPTS_ENABLED)
ssg_build_profile_bash_scripts(${DERIVATIVE})
add_custom_target(
${DERIVATIVE}-profile-bash-scripts
@@ -977,7 +981,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
add_dependencies(${DERIVATIVE} ${DERIVATIVE}-profile-bash-scripts)
endif()
- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED)
ssg_build_profile_playbooks(${DERIVATIVE})
add_custom_target(
${DERIVATIVE}-profile-playbooks
From c7c7baa84ce722304224373c556a2d03edb0f76c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 20 May 2021 09:14:21 +0200
Subject: [PATCH 2/4] Do not build HTML guide for the virtual default profile
The virtual '(default)' profile is a profile that doesn't contain
any rules, so the built HTML guide also doesn't contain any rules
which means it contains only group descriptions. This HTML guide
has no use for the users and it only increases the built size.
---
ssg/build_guides.py | 4 ----
1 file changed, 4 deletions(-)
diff --git a/ssg/build_guides.py b/ssg/build_guides.py
index 3b2a9469240..2e37d80eef3 100644
--- a/ssg/build_guides.py
+++ b/ssg/build_guides.py
@@ -105,10 +105,6 @@ def get_benchmark_profile_pairs(input_tree, benchmarks):
for benchmark_id in benchmarks.keys():
profiles = get_profile_choices_for_input(input_tree, benchmark_id,
None)
-
- # add the default profile
- profiles[""] = "(default)"
-
for profile_id in profiles:
pair = (benchmark_id, profile_id, profiles[profile_id])
benchmark_profile_pairs.append(pair)
From f2c265013dd5fe75fd47c8ce7afe9e2ecc7cf16f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 20 May 2021 09:49:51 +0200
Subject: [PATCH 3/4] Add option to disable SCAP 1.2 data streams
This commit adds a new option that enables to turn on building
the SCAP 1.2 source data streams (ssg-*-ds-1.2.xml). This option
will help people who don't want to build and ship this file.
The default setting is TRUE which means the default behavior
shouldn't change.
---
CMakeLists.txt | 2 +
cmake/SSGCommon.cmake | 100 +++++++++++++++++++++++++++---------------
2 files changed, 67 insertions(+), 35 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c309efde9bd..55b991cedfa 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -41,6 +41,7 @@ set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL
set(SSG_TARGET_OVAL_VERSION "${SSG_TARGET_OVAL_MAJOR_VERSION}.${SSG_TARGET_OVAL_MINOR_VERSION}")
+option(SSG_BUILD_SCAP_12_DS "If enabled, ssg-*-ds-1.2.xml will be built along with ssg-*-ds.xml" TRUE)
option(SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED "If enabled, schematron validation will be performed as part of the ctest tests. Schematron takes a lot of time to complete but can find more issues than just plain XSD validation." TRUE)
option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck validation of bash fixes will be performed as part of the ctest tests. Shellcheck tests don't pass right now, this option is discouraged until that's fixed." FALSE)
option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
@@ -238,6 +239,7 @@ message(STATUS " ")
message(STATUS "Build options:")
message(STATUS "SSG vendor string: ${SSG_VENDOR}")
message(STATUS "Target OVAL version: ${SSG_TARGET_OVAL_VERSION}")
+message(STATUS "Build SCAP 1.2 source data streams: ${SSG_BUILD_SCAP_12_DS}")
message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED}")
message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}")
message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}")
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index 9b109f86b9f..412db46c687 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -555,7 +555,6 @@ macro(ssg_build_sds PRODUCT)
if("${PRODUCT}" MATCHES "rhel(6|7)")
add_custom_command(
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
# use --skip-valid here to avoid repeatedly validating everything
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
@@ -563,10 +562,8 @@ macro(ssg_build_sds PRODUCT)
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
DEPENDS generate-ssg-${PRODUCT}-oval.xml
@@ -578,22 +575,19 @@ macro(ssg_build_sds PRODUCT)
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml"
DEPENDS generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml"
- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml and ssg-${PRODUCT}-ds-1.2.xml"
+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml"
)
else()
add_custom_command(
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
# use --skip-valid here to avoid repeatedly validating everything
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
DEPENDS generate-ssg-${PRODUCT}-oval.xml
@@ -603,14 +597,30 @@ macro(ssg_build_sds PRODUCT)
DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml"
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml"
- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml and ssg-${PRODUCT}-ds-1.2.xml"
+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml"
+ )
+ endif()
+
+ if(SSG_BUILD_SCAP_12_DS)
+ add_custom_command(
+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
+ WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml"
+ )
+ add_custom_target(
+ generate-ssg-${PRODUCT}-ds.xml
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
+ )
+ else()
+ add_custom_target(
+ generate-ssg-${PRODUCT}-ds.xml
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
)
endif()
- add_custom_target(
- generate-ssg-${PRODUCT}-ds.xml
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
- )
if("${PRODUCT}" MATCHES "rhel(6|7|8|9)")
add_test(
@@ -626,10 +636,12 @@ macro(ssg_build_sds PRODUCT)
NAME "validate-ssg-${PRODUCT}-ds.xml"
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
)
- add_test(
- NAME "validate-ssg-${PRODUCT}-ds-1.2.xml"
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
- )
+ if(SSG_BUILD_SCAP_12_DS)
+ add_test(
+ NAME "validate-ssg-${PRODUCT}-ds-1.2.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
+ )
+ endif()
endif()
endmacro()
@@ -640,7 +652,6 @@ macro(ssg_build_html_guides PRODUCT)
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_all_guides.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/guides" build
DEPENDS generate-ssg-${PRODUCT}-ds.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
COMMENT "[${PRODUCT}-guides] generating HTML guides for all profiles in ssg-${PRODUCT}-ds.xml"
)
add_custom_target(
@@ -854,8 +865,10 @@ macro(ssg_build_product PRODUCT)
install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
- install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
- DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
+ if(SSG_BUILD_SCAP_12_DS)
+ install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
+ DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
+ endif()
# This is a common cmake trick, we need the globbing to happen at build time
# and not configure time.
@@ -927,21 +940,34 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
add_custom_command(
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
DEPENDS generate-ssg-${ORIGINAL}-ds.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml"
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml"
DEPENDS "${SSG_BUILD_SCRIPTS}/enable_derivatives.py"
- COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds.xml and ssg-${DERIVATIVE}-ds-1.2.xml"
- )
- add_custom_target(
- generate-ssg-${DERIVATIVE}-ds.xml
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
+ COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds.xml"
)
+ if (SSG_BUILD_SCAP_12_DS)
+ add_custom_command(
+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg
+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml"
+ DEPENDS "${SSG_BUILD_SCRIPTS}/enable_derivatives.py"
+ COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds-1.2.xml"
+ )
+ add_custom_target(
+ generate-ssg-${DERIVATIVE}-ds.xml
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
+ )
+ else()
+ add_custom_target(
+ generate-ssg-${DERIVATIVE}-ds.xml
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
+ )
+ endif()
+
define_validate_product("${PRODUCT}")
if ("${VALIDATE_PRODUCT}" OR "${FORCE_VALIDATE_EVERYTHING}")
add_test(
@@ -952,10 +978,12 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
NAME "validate-ssg-${DERIVATIVE}-ds.xml"
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
)
- add_test(
- NAME "validate-ssg-${DERIVATIVE}-ds-1.2.xml"
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
- )
+ if (SSG_BUILD_SCAP_12_DS)
+ add_test(
+ NAME "validate-ssg-${DERIVATIVE}-ds-1.2.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
+ )
+ endif()
endif()
add_custom_target(${DERIVATIVE} ALL)
@@ -1004,8 +1032,10 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
- install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
- DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
+ if(SSG_BUILD_SCAP_12_DS)
+ install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
+ DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
+ endif()
# This is a common cmake trick, we need the globbing to happen at build time
# and not configure time.
From 466d3cb4dac4688e234a0fd0eff7fb6e6ae4c578 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 21 May 2021 09:50:25 +0200
Subject: [PATCH 4/4] Add options for Bash and Ansible to build_product
This will allow people to build easily without Bash scripts
or without Ansible Playbooks.
---
build_product | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/build_product b/build_product
index cf84199e22e..8a186fbae0e 100755
--- a/build_product
+++ b/build_product
@@ -7,6 +7,8 @@
# ARG_OPTIONAL_SINGLE([jobs],[j],[Count of simultaneous jobs],[auto])
# ARG_OPTIONAL_BOOLEAN([debug],[],[Make a debug build with draft profiles],[off])
# ARG_OPTIONAL_BOOLEAN([derivatives],[],[Also build derivatives of products if applicable],[off])
+# ARG_OPTIONAL_BOOLEAN([ansible-playbooks],[],[Build Ansible Playbooks for every profile],[on])
+# ARG_OPTIONAL_BOOLEAN([bash-scripts],[],[Build Bash remediation scripts for every profile],[on])
# ARG_OPTIONAL_BOOLEAN([datastream-only],[],[Build the datastream only. Do not build any of the guides, tables, etc],[off])
# ARG_USE_ENV([ADDITIONAL_CMAKE_OPTIONS],[],[Whitespace-separated string of arguments to pass to CMake])
# ARG_POSITIONAL_INF([product],[Products to build, ALL means all products],[0],[ALL])
@@ -71,19 +73,23 @@ _arg_builder="auto"
_arg_jobs="auto"
_arg_debug="off"
_arg_derivatives="off"
+_arg_ansible_playbooks="on"
+_arg_bash_scripts="on"
_arg_datastream_only="off"
print_help()
{
printf '%s\n' "Wipes out contents of the 'build' directory and builds only and only the given products."
- printf 'Usage: %s [-o|--oval <VERSION>] [-b|--builder <BUILDER>] [-j|--jobs <arg>] [--(no-)debug] [--(no-)derivatives] [--(no-)datastream-only] [-h|--help] [<product-1>] ... [<product-n>] ...\n' "$0"
+ printf 'Usage: %s [-o|--oval <VERSION>] [-b|--builder <BUILDER>] [-j|--jobs <arg>] [--(no-)debug] [--(no-)derivatives] [--(no-)ansible-playbooks] [--(no-)bash-scripts] [--(no-)datastream-only] [-h|--help] [<product-1>] ... [<product-n>] ...\n' "$0"
printf '\t%s\n' "<product>: Products to build, ALL means all products (defaults for <product>: 'ALL')"
printf '\t%s\n' "-o, --oval: OVAL version. Can be one of: '5.10', '5.11' and 'auto' (default: 'auto')"
printf '\t%s\n' "-b, --builder: Builder engine. Can be one of: 'make', 'ninja' and 'auto' (default: 'auto')"
printf '\t%s\n' "-j, --jobs: Count of simultaneous jobs (default: 'auto')"
printf '\t%s\n' "--debug, --no-debug: Make a debug build with draft profiles (off by default)"
printf '\t%s\n' "--derivatives, --no-derivatives: Also build derivatives of products if applicable (off by default)"
+ printf '\t%s\n' "--ansible-playbooks, --no-ansible-playbooks: Build Ansible Playbooks for every profile (on by default)"
+ printf '\t%s\n' "--bash-scripts, --no-bash-scripts: Build Bash remediation scripts for every profile (on by default)"
printf '\t%s\n' "--datastream-only, --no-datastream-only: Build the datastream only. Do not build any of the guides, tables, etc (off by default)"
printf '\t%s\n' "-h, --help: Prints help"
printf '\nEnvironment variables that are supported:\n'
@@ -140,6 +146,14 @@ parse_commandline()
_arg_derivatives="on"
test "${1:0:5}" = "--no-" && _arg_derivatives="off"
;;
+ --no-ansible-playbooks|--ansible-playbooks)
+ _arg_ansible_playbooks="on"
+ test "${1:0:5}" = "--no-" && _arg_ansible_playbooks="off"
+ ;;
+ --no-bash-scripts|--bash-scripts)
+ _arg_bash_scripts="on"
+ test "${1:0:5}" = "--no-" && _arg_bash_scripts="off"
+ ;;
--no-datastream-only|--datastream-only)
_arg_datastream_only="on"
test "${1:0:5}" = "--no-" && _arg_datastream_only="off"
@@ -339,6 +353,12 @@ done
CMAKE_OPTIONS=(${ADDITIONAL_CMAKE_OPTIONS} "${build_type_option}" "${oval_major_version_option}" "${oval_minor_version_option}" '-DSSG_PRODUCT_DEFAULT=OFF' "${cmake_enable_args[@]}" -G "$cmake_generator")
set_no_derivatives_options
+if [ "$_arg_ansible_playbooks" = off ] ; then
+ CMAKE_OPTIONS+=("-DSSG_ANSIBLE_PLAYBOOKS_ENABLED:BOOL=OFF")
+fi
+if [ "$_arg_bash_scripts" = off ] ; then
+ CMAKE_OPTIONS+=("-DSSG_BASH_SCRIPTS_ENABLED:BOOL=OFF")
+fi
EXPLICIT_BUILD_TARGETS=()
set_explict_build_targets

202
scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch
View File

@ -1,202 +0,0 @@
From 35c61f74925f99536595824b0e787254ed89c64f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 26 May 2021 11:36:58 +0200
Subject: [PATCH 1/3] Fix output declararation of command generating ds
The custom command declares that it outputs the derivative 1.2 ds and
this causes the actual command that generates the derivative 1.2 not to
be run.
---
cmake/SSGCommon.cmake | 1 -
1 file changed, 1 deletion(-)
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index 412db46c68..272b40ccf3 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -939,7 +939,6 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
add_custom_command(
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
DEPENDS generate-ssg-${ORIGINAL}-ds.xml
From 551c225accec34e55ac1f011fbd5db7755b5f9ed Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 26 May 2021 14:46:26 +0200
Subject: [PATCH 2/3] Fix order in which SCAP 1.2 and 1.3 are generated
The data stream can be upgraded to 1.3, but not downgrated to 1.2.
Instead of chaining generation of DS version on each other, let's
generate a base ds from which SCAP 1.2 and 1.3 are generated.
---
cmake/SSGCommon.cmake | 43 ++++++++++++++++++++++++-------------------
1 file changed, 24 insertions(+), 19 deletions(-)
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index 272b40ccf3..977c3957d1 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -554,16 +554,14 @@ endmacro()
macro(ssg_build_sds PRODUCT)
if("${PRODUCT}" MATCHES "rhel(6|7)")
add_custom_command(
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
# use --skip-valid here to avoid repeatedly validating everything
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
DEPENDS generate-ssg-${PRODUCT}-oval.xml
@@ -575,19 +573,17 @@ macro(ssg_build_sds PRODUCT)
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml"
DEPENDS generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml"
- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml"
+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-base.xml"
)
else()
add_custom_command(
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
# use --skip-valid here to avoid repeatedly validating everything
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
DEPENDS generate-ssg-${PRODUCT}-oval.xml
@@ -597,17 +593,26 @@ macro(ssg_build_sds PRODUCT)
DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml"
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml"
- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml"
+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-base.xml"
)
endif()
+ add_custom_command(
+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
+ WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ COMMENT "[${PRODUCT}-content] Updating data stream ssg-${PRODUCT}-ds.xml to 1.3"
+ )
+
if(SSG_BUILD_SCAP_12_DS)
add_custom_command(
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml"
)
add_custom_target(
From 97b1df0349c9c685cc07a0d3e3fd88385e0cd15d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 26 May 2021 14:51:32 +0200
Subject: [PATCH 3/3] Move product base ds to product dir
The base ds is used to facilitate generation of SCAP 1.2 and SCAP 1.3
data streams.
The base ds is an intermediary product and can be stored in the product
specific dir.
---
cmake/SSGCommon.cmake | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index 977c3957d1..111b2b32ed 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -554,14 +554,14 @@ endmacro()
macro(ssg_build_sds PRODUCT)
if("${PRODUCT}" MATCHES "rhel(6|7)")
add_custom_command(
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
# use --skip-valid here to avoid repeatedly validating everything
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
DEPENDS generate-ssg-${PRODUCT}-oval.xml
@@ -577,13 +577,13 @@ macro(ssg_build_sds PRODUCT)
)
else()
add_custom_command(
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
# use --skip-valid here to avoid repeatedly validating everything
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
DEPENDS generate-ssg-${PRODUCT}-oval.xml
@@ -600,9 +600,9 @@ macro(ssg_build_sds PRODUCT)
add_custom_command(
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
COMMENT "[${PRODUCT}-content] Updating data stream ssg-${PRODUCT}-ds.xml to 1.3"
)
@@ -610,9 +610,9 @@ macro(ssg_build_sds PRODUCT)
add_custom_command(
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
+ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml"
)
add_custom_target(

224
scap-security-guide-0.1.57-playbooks_per_rule-PR_7039.patch
View File

@ -1,224 +0,0 @@
From 7283a29c601c250f9809886860f89d4e673be577 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 24 May 2021 17:25:38 +0200
Subject: [PATCH 1/6] Add option to enable installation of individual ansible
tasks per rule.
---
CMakeLists.txt | 1 +
cmake/SSGCommon.cmake | 14 ++++++++++++++
2 files changed, 15 insertions(+)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 55b991cedfa..13ddcf6aa7c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -49,6 +49,7 @@ option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the S
option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE)
option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE)
+option(SSG_ANSIBLE_TASKS_ENABLED "If enabled, Ansible Tasks for each rule will be installed." FALSE)
option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index 412db46c687..e1480561ee1 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -914,6 +914,20 @@ macro(ssg_build_product PRODUCT)
"
)
endif()
+ if(SSG_ANSIBLE_TASKS_ENABLED)
+ install(
+ CODE "
+ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n
+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks)
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\"
+ TYPE FILE FILES \${ROLE_FILES})
+ else()
+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\"
+ TYPE FILE FILES \${ROLE_FILES})
+ endif()
+ "
+ )
+ endif()
# grab all the kickstarts (if any) and install them
file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg")
From 81f9051433bec735f0ce915290d465ba98401f86 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 25 May 2021 17:07:15 +0200
Subject: [PATCH 2/6] Rename ansible per rule cmake option.
---
CMakeLists.txt | 2 +-
cmake/SSGCommon.cmake | 14 +++++++-------
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 13ddcf6aa7c..04779b18cbc 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -48,8 +48,8 @@ option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used
option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE)
option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE)
+option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE)
option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE)
-option(SSG_ANSIBLE_TASKS_ENABLED "If enabled, Ansible Tasks for each rule will be installed." FALSE)
option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index e1480561ee1..b3710caafbf 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -914,16 +914,16 @@ macro(ssg_build_product PRODUCT)
"
)
endif()
- if(SSG_ANSIBLE_TASKS_ENABLED)
+ if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
install(
CODE "
- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n
- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks)
- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\"
- TYPE FILE FILES \${ROLE_FILES})
+ file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n
+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks)
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\"
+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
else()
- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\"
- TYPE FILE FILES \${ROLE_FILES})
+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\"
+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
endif()
"
)
From 2f424af420f3520797780287812474a5f7c03f07 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 25 May 2021 17:07:22 +0200
Subject: [PATCH 3/6] Guard build of playbooks per rule by a new CMake Option.
---
cmake/SSGCommon.cmake | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index b3710caafbf..04bdfe04bae 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -769,7 +769,7 @@ macro(ssg_build_product PRODUCT)
ssg_build_xccdf_unlinked(${PRODUCT})
ssg_build_ocil_unlinked(${PRODUCT})
ssg_build_remediations(${PRODUCT})
- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
ssg_build_ansible_playbooks(${PRODUCT})
endif()
ssg_build_xccdf_with_remediations(${PRODUCT})
From 406a49b4c617499e538817579920b23fc81a09e6 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 25 May 2021 17:40:10 +0200
Subject: [PATCH 4/6] Print message for CMake option enable ansible playbooks
per rule.
---
CMakeLists.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 04779b18cbc..bba7dd60356 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -246,6 +246,7 @@ message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VA
message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}")
message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}")
+message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}")
message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}")
if (SSG_JINJA2_CACHE_ENABLED)
message(STATUS "jinja2 cache: enabled")
From 5a185a653ba4f58bdfcee37bfd61812763a2f525 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 25 May 2021 17:40:42 +0200
Subject: [PATCH 5/6] Fix path of gathered ansible playbooks per rule.
---
cmake/SSGCommon.cmake | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index 04bdfe04bae..a382bb787b5 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -917,12 +917,12 @@ macro(ssg_build_product PRODUCT)
if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
install(
CODE "
- file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n
- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks)
- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\"
+ file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*\") \n
+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks)
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
else()
- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\"
+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
endif()
"
From 8b99c9c2a50653b37f88b9eb3bc2b46ae3586be3 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 27 May 2021 15:55:20 +0200
Subject: [PATCH 6/6] Move product dependency closer to declaration
A dependency on rule playbooks target was being added from a
conditional branch related to profile playbooks.
It caused issues when building profile playbooks but not rule playbooks,
the rule playbooks target would not exist, but still be added as
dependency.
Co-authored-by: Watson Sato <wsato@redhat.com>
---
cmake/SSGCommon.cmake | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index a382bb787b5..dc661cc2904 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -769,8 +769,13 @@ macro(ssg_build_product PRODUCT)
ssg_build_xccdf_unlinked(${PRODUCT})
ssg_build_ocil_unlinked(${PRODUCT})
ssg_build_remediations(${PRODUCT})
+
if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
ssg_build_ansible_playbooks(${PRODUCT})
+ add_dependencies(
+ ${PRODUCT}-content
+ generate-${PRODUCT}-ansible-playbooks
+ )
endif()
ssg_build_xccdf_with_remediations(${PRODUCT})
ssg_build_oval_unlinked(${PRODUCT})
@@ -801,10 +806,6 @@ macro(ssg_build_product PRODUCT)
add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml")
if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED)
- add_dependencies(
- ${PRODUCT}-content
- generate-${PRODUCT}-ansible-playbooks
- )
ssg_build_profile_playbooks(${PRODUCT})
add_custom_target(
${PRODUCT}-profile-playbooks

11207
scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch
View File

File diff suppressed because it is too large Load Diff

1052
scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch
View File

File diff suppressed because it is too large Load Diff

815
scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch
View File

@ -1,815 +0,0 @@
From b1ee8de3856252e2052bee8f5dd2aaaee5dcc95b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 20 May 2021 11:33:52 +0200
Subject: [PATCH 1/8] Enable update-related rules for RHEL9.
---
.../software/updating/dnf-automatic_apply_updates/rule.yml | 2 +-
.../software/updating/package_dnf-automatic_installed/rule.yml | 2 +-
.../software/updating/timer_dnf-automatic_enabled/rule.yml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
index 8b0343a52ec..7a10f5dd9ed 100644
--- a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
+++ b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol8,rhel8
+prodtype: fedora,ol8,rhel8,rhel9
title: Configure dnf-automatic to Install Available Updates Automatically
diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
index 8b332b800c7..0bdace740b4 100644
--- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
+++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol8,rhel8
+prodtype: fedora,ol8,rhel8,rhel9
title: 'Install dnf-automatic Package'
diff --git a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
index 1c51fe22471..07aa5c3575b 100644
--- a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
+++ b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol8,rhel8
+prodtype: fedora,ol8,rhel8,rhel9
title: Enable dnf-automatic Timer
From 55bc57583158dc7c8080fdfd41b2c7ee4ddb677f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 20 May 2021 11:45:02 +0200
Subject: [PATCH 2/8] Enable AIDE rules for RHEL9.
The component hasn't changed observably wrt our rules.
---
.../certified-vendor/installed_OS_is_FIPS_certified/rule.yml | 2 +-
.../software-integrity/aide/aide_build_database/rule.yml | 2 +-
.../software-integrity/aide/aide_scan_notification/rule.yml | 2 +-
.../software-integrity/aide/aide_use_fips_hashes/rule.yml | 2 +-
.../integrity/software-integrity/aide/aide_verify_acls/rule.yml | 2 +-
.../software-integrity/aide/aide_verify_ext_attributes/rule.yml | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml
index 07d55e58e55..012fe8f6edd 100644
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux8,ubuntu1604,ubuntu1804,ubuntu2004,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux8,ubuntu1604,ubuntu1804,ubuntu2004,wrlinux1019
title: 'The Installed Operating System Is FIPS 140-2 Certified'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
index 175c997d508..6c0ee2e4c7b 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: debian9,debian10,fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
+prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
title: 'Build and Test AIDE Database'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
index 24d3f8e1c24..a73fb0a39ad 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,wrlinux1019
title: 'Configure Notification of Post-AIDE Scan Details'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml
index 1f86ed8a973..c982b8fde2e 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Configure AIDE to Use FIPS 140-2 for Validating Hashes'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
index 144c0645503..f527068022a 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
title: 'Configure AIDE to Verify Access Control Lists (ACLs)'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
index b5bcd202dea..7961f3b5a67 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
title: 'Configure AIDE to Verify Extended Attributes'
From 5425108a0a88ba36b422ee2a1f672f301531c167 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 20 May 2021 15:44:41 +0200
Subject: [PATCH 3/8] Enabled package installed rules for RHEL9.
Packages are likely to exist in RHEL9.
---
.../disabling_xwindows/xwindows_remove_packages/rule.yml | 2 +-
.../smart_card_login/install_smartcard_packages/rule.yml | 2 +-
.../smart_card_login/package_opensc_installed/rule.yml | 2 +-
.../system/auditing/package_audispd-plugins_installed/rule.yml | 2 +-
.../package_policycoreutils-python-utils_installed/rule.yml | 2 +-
.../system/selinux/package_policycoreutils_installed/rule.yml | 2 +-
.../software/system-tools/package_rng-tools_installed/rule.yml | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
index 2f9dfc1b039..031d63ba778 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8
+prodtype: ol7,ol8,rhel7,rhel8,rhel9
title: 'Disable graphical user interface'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
index 85260712c6f..652e9287759 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
@@ -8,7 +8,7 @@
documentation_complete: true
-prodtype: fedora,ol7,rhel7,rhel8,sle12,sle15
+prodtype: fedora,ol7,rhel7,rhel8,rhel9,sle12,sle15
title: 'Install Smart Card Packages For Multifactor Authentication'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
index df01a282459..a55409d9e8f 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Install the opensc Package For Multifactor Authentication'
diff --git a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
index 8ed5af7070a..6d96d340a33 100644
--- a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
+++ b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4
title: 'Install audispd-plugins Package'
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
index 6c23fae18ab..a18a57dcbb3 100644
--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhel9
title: 'Install policycoreutils-python-utils package'
diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
index b9fcc6a889e..acce754e9d2 100644
--- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Install policycoreutils Package'
diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
index 7d25f41fb98..f0ca76b6953 100644
--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Install rng-tools Package'
From ef063898277b53e35db6f3b54604583c3512ff46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 20 May 2021 16:07:18 +0200
Subject: [PATCH 4/8] Enabled service-related rules for RHEL9.
---
linux_os/guide/services/base/service_kdump_disabled/rule.yml | 2 +-
linux_os/guide/services/rng/service_rngd_enabled/rule.yml | 2 +-
linux_os/guide/services/ssh/service_sshd_enabled/rule.yml | 2 +-
.../coredumps/service_systemd-coredump_disabled/rule.yml | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
index 8a12fd05711..1bb014b5993 100644
--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml
+++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019,sle15
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
title: 'Disable KDump Kernel Crash Analyzer (kdump)'
diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
index 5d47b5d69b3..4f1e4d85197 100644
--- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
+++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol8,rhel8
+prodtype: fedora,ol8,rhcos4,rhel8,rhel9
title: 'Enable the Hardware RNG Entropy Gatherer Service'
diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
index 548750d0f61..a7aaa4f3f9c 100644
--- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
+++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
title: 'Enable the OpenSSH Service'
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
index a2e1affd89d..baa8a448026 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol8,rhel8
+prodtype: fedora,ol8,rhcos4,rhel8,rhel9
title: 'Disable acquiring, saving, and processing core dumps'
From ce273a6e9a50893d6cd2d623b74d30cba5c5ad8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 20 May 2021 17:13:54 +0200
Subject: [PATCH 5/8] More various rules.
---
.../files/dir_perms_world_writable_root_owned/rule.yml | 2 +-
.../software/disk_partitioning/encrypt_partitions/rule.yml | 6 ++++--
.../installed_OS_is_vendor_supported/rule.yml | 4 ++--
.../crypto/configure_openssl_tls_crypto_policy/rule.yml | 2 +-
.../rule.yml | 2 +-
.../system/software/sudo/sudoers_validate_passwd/rule.yml | 2 +-
.../updating/clean_components_post_updating/rule.yml | 2 +-
7 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
index 9714947ae47..0a4232cae38 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,wrlinux1019
title: 'Ensure All World-Writable Directories Are Owned by root user'
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index 7730800a0e8..ef544f33d48 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15
+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
title: 'Encrypt Partitions'
@@ -37,8 +37,10 @@ description: |-
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/install/ol8-install-basic.html#install-storage-network") }}}.
{{% elif product in ["sle12", "sle15"] %}}
{{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
- {{% else %}}
+ {{% elif product == "rhel7" %}}
{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
+ {{% else %}}
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}.
{{% endif %}}
rationale: |-
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
index ac76ba7c5a0..8a36d5691b7 100644
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
title: 'The Installed Operating System Is Vendor Supported'
@@ -56,7 +56,7 @@ ocil_clause: 'the installed operating system is not supported'
ocil: |-
To verify that the installed operating system is supported, run
the following command:
-{{% if product in ["rhel7", "rhel8"] %}}
+{{% if product.startswith("rhel") %}}
<pre>$ grep -i "red hat" /etc/redhat-release</pre>
{{% elif product in ["ol7", "ol8"] %}}
<pre>$ grep -i "oracle" /etc/oracle-release</pre>
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
index c4637d39fed..dfe105771cc 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8
+prodtype: rhel8,rhel9
title: 'Configure OpenSSL library to use TLS Encryption'
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
index 4b01cb39e1a..930915327e0 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
title: 'The operating system must restrict privilege elevation to authorized personnel'
-prodtype: ol7,ol8,rhel7,rhel8,sle15
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15
description: |-
The sudo command allows a user to execute programs with elevated
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index eede35be8a1..d17f33852db 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
title: 'Ensure invoking users password for privilege escalation when using sudo'
-prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,sle15
description: |-
The sudoers security policy requires that users authenticate themselves before they can use sudo.
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
index 34723d0e2a5..d0289b311c6 100644
--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
title: 'Ensure {{{ pkg_manager }}} Removes Previous Package Versions'
From 255ee86df41e9d5e8ee427ff28e214833796f156 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 20 May 2021 17:15:51 +0200
Subject: [PATCH 6/8] Enabled zIPL rules for RHEL9.
There are indications that zIPL will remain the default bootloader for x390, and the project is very conservative.
---
.../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml | 2 +-
.../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +-
.../guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 2 +-
.../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 2 +-
.../system/bootloader-zipl/zipl_page_poison_argument/rule.yml | 2 +-
.../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +-
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index c2fb5ba678c..987a42d31ec 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhcos4
+prodtype: rhcos4,rhel8,rhel9
title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 6548c352acc..cfb8c08f31d 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhcos4
+prodtype: rhcos4,rhel8,rhel9
title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
index c3f032d8cbb..b8b025f74f4 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhcos4
+prodtype: rhcos4,rhel8,rhel9
title: 'Ensure all zIPL boot entries are BLS compliant'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
index 13192cd8ca5..c8133e19ab4 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhcos4
+prodtype: rhcos4,rhel8,rhel9
title: 'Ensure zIPL bootmap is up to date'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 42c1c8aecd5..c626f6188cd 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhcos4
+prodtype: rhcos4,rhel8,rhel9
title: 'Enable page allocator poisoning in zIPL'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 2f9b04f7a27..d266165cddc 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhcos4
+prodtype: rhcos4,rhel8,rhel9
title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index f90a0fb4141..387f7f13850 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhcos4
+prodtype: rhcos4,rhel8,rhel9
title: 'Disable vsyscalls in zIPL'
From 807dbda2042184d6d2e602506e846bb3a19a775d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 20 May 2021 17:40:30 +0200
Subject: [PATCH 7/8] Enabled more audit rules for RHEL9.
Component maintainers have reported that there are no breaking changes in the audit configuration.
---
.../system/auditing/policy_rules/audit_access_failed/rule.yml | 2 +-
.../system/auditing/policy_rules/audit_access_success/rule.yml | 2 +-
.../auditing/policy_rules/audit_basic_configuration/rule.yml | 2 +-
.../system/auditing/policy_rules/audit_create_failed/rule.yml | 2 +-
.../system/auditing/policy_rules/audit_create_success/rule.yml | 2 +-
.../system/auditing/policy_rules/audit_delete_failed/rule.yml | 2 +-
.../system/auditing/policy_rules/audit_delete_success/rule.yml | 2 +-
.../auditing/policy_rules/audit_immutable_login_uids/rule.yml | 2 +-
.../system/auditing/policy_rules/audit_modify_failed/rule.yml | 2 +-
.../system/auditing/policy_rules/audit_modify_success/rule.yml | 2 +-
.../system/auditing/policy_rules/audit_module_load/rule.yml | 2 +-
.../system/auditing/policy_rules/audit_ospp_general/rule.yml | 2 +-
.../auditing/policy_rules/audit_owner_change_failed/rule.yml | 2 +-
.../auditing/policy_rules/audit_owner_change_success/rule.yml | 2 +-
.../auditing/policy_rules/audit_perm_change_failed/rule.yml | 2 +-
.../auditing/policy_rules/audit_perm_change_success/rule.yml | 2 +-
16 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
index 458ac7e0ae6..a0d856b023b 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of unsuccessful file accesses'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
index 064618716e8..6f79a5cf04a 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of successful file accesses'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
index cce5e83fd6e..bd5d6455351 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure basic parameters of Audit system'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
index 92800b472c7..b2f731d11ba 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of unsuccessful file creations'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
index 59db7b10073..a03a7f3b715 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of successful file creations'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
index 2f67a150dc5..d4bd88e6cfc 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of unsuccessful file deletions'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
index f54899fb842..6c05a736e39 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of successful file deletions'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
index 073f29c9fe6..34e9fc134e0 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure immutable Audit login UIDs'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
index 51f9d76f06d..2d0f7cf9da3 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of unsuccessful file modifications'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
index b51acc04dcb..28045878a69 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of successful file modifications'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
index 20bfca83eee..d764e384ea2 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of loading and unloading of kernel modules'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
index fbf7473cc4c..0a41ece25fc 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Perform general configuration of Audit for OSPP'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
index b0052f8b645..a95c0146b11 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of unsuccessful ownership changes'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
index 3657a32fc3a..4133eb193f2 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of successful ownership changes'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
index 477c74282d0..47f248a2b36 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of unsuccessful permission changes'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
index 53ecf9d589a..5017b17849b 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhcos4,rhel8,rhel9
title: 'Configure auditing of successful permission changes'
From 65b2fe65e7143d38f46f782d7e0d49738ad7dd76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 20 May 2021 17:46:00 +0200
Subject: [PATCH 8/8] Enabled Grub cmdline rules for RHEL9.
Those rules are not very specific - they perform basic configuration of kernel parameters.
---
.../system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml | 2 +-
.../guide/system/bootloader-grub2/grub2_pti_argument/rule.yml | 2 +-
.../system/bootloader-grub2/grub2_vsyscall_argument/rule.yml | 2 +-
.../restrictions/poisoning/grub2_page_poison_argument/rule.yml | 2 +-
.../restrictions/poisoning/grub2_slub_debug_argument/rule.yml | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
index 39f1bbe285c..03f56b8031d 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhel9
title: 'Configure kernel to trust the CPU random number generator'
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
index 1516972d72c..f186b1ae6e7 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol8,rhel8
+prodtype: fedora,ol8,rhel8,rhel9
title: 'Enable Kernel Page-Table Isolation (KPTI)'
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
index 9ad81924ceb..0b5873c56a2 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9
title: 'Disable vsyscalls'
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
index 820e4799f87..9b18bee588f 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9
title: 'Enable page allocator poisoning'
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
index 182a0cc507c..f6059044f14 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9
title: 'Enable SLUB/SLAB allocator poisoning'

141
scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch
View File

@ -1,141 +0,0 @@
From a6bd844c52ccadae91ebcb7c252cf4a153522776 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 30 Jun 2021 15:10:13 +0200
Subject: [PATCH] Enable templates for RHEL9.
Concerned templates are low-level, underlying components are stable.
---
shared/templates/audit_rules_file_deletion_events/bash.template | 2 +-
shared/templates/audit_rules_login_events/bash.template | 2 +-
shared/templates/audit_rules_path_syscall/bash.template | 2 +-
shared/templates/audit_rules_privileged_commands/bash.template | 2 +-
.../audit_rules_unsuccessful_file_modification/bash.template | 2 +-
shared/templates/grub2_bootloader_argument/bash.template | 2 +-
shared/templates/kernel_module_disabled/ansible.template | 2 +-
shared/templates/mount/anaconda.template | 2 +-
shared/templates/mount_option/anaconda.template | 2 +-
.../mount_option_removable_partitions/anaconda.template | 2 +-
shared/templates/zipl_bls_entries_option/ansible.template | 2 +-
shared/templates/zipl_bls_entries_option/bash.template | 2 +-
12 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template
index c387624cfb..851b0fd43e 100644
--- a/shared/templates/audit_rules_file_deletion_events/bash.template
+++ b/shared/templates/audit_rules_file_deletion_events/bash.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/shared/templates/audit_rules_login_events/bash.template b/shared/templates/audit_rules_login_events/bash.template
index 065e8bb288..69e8be9c50 100644
--- a/shared/templates/audit_rules_login_events/bash.template
+++ b/shared/templates/audit_rules_login_events/bash.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/shared/templates/audit_rules_path_syscall/bash.template b/shared/templates/audit_rules_path_syscall/bash.template
index c3d31aade9..656d168ddd 100644
--- a/shared/templates/audit_rules_path_syscall/bash.template
+++ b/shared/templates/audit_rules_path_syscall/bash.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
index 42e12671ac..85dbc9b828 100644
--- a/shared/templates/audit_rules_privileged_commands/bash.template
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
index e89ac0749c..daf146f7eb 100644
--- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
index bac84526ee..965fe5bac0 100644
--- a/shared/templates/grub2_bootloader_argument/bash.template
+++ b/shared/templates/grub2_bootloader_argument/bash.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
{{% if product in ["rhel7", "ol7"] %}}
{{% if '/' in ARG_NAME %}}
diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template
index 72f7ae18bf..2526baf737 100644
--- a/shared/templates/kernel_module_disabled/ansible.template
+++ b/shared/templates/kernel_module_disabled/ansible.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
# reboot = true
# strategy = disable
# complexity = low
diff --git a/shared/templates/mount/anaconda.template b/shared/templates/mount/anaconda.template
index 5093c926da..fdcb4ee3e8 100644
--- a/shared/templates/mount/anaconda.template
+++ b/shared/templates/mount/anaconda.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# reboot = false
# strategy = enable
# complexity = low
diff --git a/shared/templates/mount_option/anaconda.template b/shared/templates/mount_option/anaconda.template
index 0a54865e12..083b0ef008 100644
--- a/shared/templates/mount_option/anaconda.template
+++ b/shared/templates/mount_option/anaconda.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# reboot = false
# strategy = enable
# complexity = low
diff --git a/shared/templates/mount_option_removable_partitions/anaconda.template b/shared/templates/mount_option_removable_partitions/anaconda.template
index b4510ae804..8665fb913a 100644
--- a/shared/templates/mount_option_removable_partitions/anaconda.template
+++ b/shared/templates/mount_option_removable_partitions/anaconda.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# reboot = false
# strategy = enable
# complexity = low
diff --git a/shared/templates/zipl_bls_entries_option/ansible.template b/shared/templates/zipl_bls_entries_option/ansible.template
index 7e73d391de..336775e4f8 100644
--- a/shared/templates/zipl_bls_entries_option/ansible.template
+++ b/shared/templates/zipl_bls_entries_option/ansible.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 8
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
# reboot = true
# strategy = configure
# complexity = medium
diff --git a/shared/templates/zipl_bls_entries_option/bash.template b/shared/templates/zipl_bls_entries_option/bash.template
index 81bbb7884b..25cd7432c9 100644
--- a/shared/templates/zipl_bls_entries_option/bash.template
+++ b/shared/templates/zipl_bls_entries_option/bash.template
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 8
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
# Correct BLS option using grubby, which is a thin wrapper around BLS operations
grubby --update-kernel=ALL --args="{{{ ARG_NAME }}}={{{ ARG_VALUE }}}"

206
scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch
View File

@ -1,206 +0,0 @@
From 5d3bcea7c2927f449fbd82074a62425bad89e605 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Sun, 30 May 2021 19:16:11 +0100
Subject: [PATCH 1/5] Add sudo custom logfile control for RHEL 8 CIS
---
.../sudo/sudo_custom_logfile/rule.yml | 20 +++++++++++++++++++
.../system/software/sudo/var_sudo_logfile.var | 16 +++++++++++++++
rhel8/profiles/cis.profile | 2 +-
3 files changed, 37 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
create mode 100644 linux_os/guide/system/software/sudo/var_sudo_logfile.var
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
new file mode 100644
index 00000000000..5571c92a679
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'Ensure Sudo Logfile Exists - sudo logfile'
+
+description: |-
+ A custom logfile can be configured for sudo with the logfile tag.
+
+rationale: |-
+ A sudo log file simplifies auditing of sudo commands.
+
+severity: medium
+
+identifiers:
+ cis@rhel8: 1.3.3
+
+template:
+ name: sudo_defaults_option
+ vars:
+ option: logfile
+ variable_name: var_sudo_logfile
diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
new file mode 100644
index 00000000000..65b23b5f3c2
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Sudo - logfile value'
+
+description: |-
+ Specify the sudo logfile to use. The default value used here matches the example
+ location from CIS, which uses /var/log/sudo.log.
+
+interactive: false
+
+type: string
+
+operator: equals
+
+options:
+ default: "/var/log/sudo.log"
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
index ec9cbfa0a3d..411083d6e71 100644
--- a/rhel8/profiles/cis.profile
+++ b/rhel8/profiles/cis.profile
@@ -132,7 +132,7 @@ selections:
# NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5220
### 1.3.3 Ensure sudo log file exists (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5221
+ - sudo_custom_logfile
## 1.4 Filesystem Integrity Checking
From da0883992ba7e712f805b86e5b7c96162aed93ec Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Sun, 30 May 2021 20:46:58 +0100
Subject: [PATCH 2/5] Update rule with OCIL parameters
---
.../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
index 5571c92a679..de0ecb98a76 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -8,11 +8,18 @@ description: |-
rationale: |-
A sudo log file simplifies auditing of sudo commands.
-severity: medium
+severity: low
identifiers:
cis@rhel8: 1.3.3
+ocil_clause: 'logfile is not enabled in sudo'
+
+ocil: |-
+ To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
+ <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
+ The command should return a matching output.
+
template:
name: sudo_defaults_option
vars:
From 2b6721b3e3858d75f27d7ad8395a79a1ce68bc73 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Mon, 31 May 2021 11:44:13 +0100
Subject: [PATCH 3/5] Use references field for CIS rather than identifiers
---
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
index de0ecb98a76..afce7f1867c 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -10,7 +10,7 @@ rationale: |-
severity: low
-identifiers:
+references:
cis@rhel8: 1.3.3
ocil_clause: 'logfile is not enabled in sudo'
From ee4ed67f0f9e246b20098d60efed7e20bc7b7a13 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 1 Jun 2021 11:28:08 +0100
Subject: [PATCH 4/5] Add missing CCE identifiers to sudo logfile rule
---
.../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++-
shared/references/cce-redhat-avail.txt | 2 --
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
index afce7f1867c..d08b7891293 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -3,14 +3,21 @@ documentation_complete: true
title: 'Ensure Sudo Logfile Exists - sudo logfile'
description: |-
- A custom logfile can be configured for sudo with the logfile tag.
+ A custom log sudo file can be configured with the 'logfile' tag. This rule configures
+ a sudo custom logfile at the default location suggested by CIS, which uses
+ /var/log/sudo.log.
rationale: |-
A sudo log file simplifies auditing of sudo commands.
severity: low
+identifiers:
+ cce@rhel7: CCE-83600-7
+ cce@rhel8: CCE-83601-5
+
references:
+ cis@rhel7: 5.2.3
cis@rhel8: 1.3.3
ocil_clause: 'logfile is not enabled in sudo'
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ae54d0ee0b2..e74b6779509 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -94,8 +94,6 @@ CCE-83594-2
CCE-83595-9
CCE-83596-7
CCE-83599-1
-CCE-83600-7
-CCE-83601-5
CCE-83606-4
CCE-83608-0
CCE-83609-8
From 298533e0e7360752737b24deb07903c04b33bc21 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 1 Jun 2021 16:19:45 +0100
Subject: [PATCH 5/5] Allow users to override sudo logfile location with
tailoring
---
linux_os/guide/system/software/sudo/var_sudo_logfile.var | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
index 65b23b5f3c2..7c5d02d37eb 100644
--- a/linux_os/guide/system/software/sudo/var_sudo_logfile.var
+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
@@ -6,7 +6,7 @@ description: |-
Specify the sudo logfile to use. The default value used here matches the example
location from CIS, which uses /var/log/sudo.log.
-interactive: false
+interactive: true
type: string

55
scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch Normal file
View File

@ -0,0 +1,55 @@
From 460922d3b258ba5b437afc99b5b02d2690788db9 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@canonical.com>
Date: Tue, 27 Jul 2021 15:20:08 -0400
Subject: [PATCH] Remove FragmentPath check from service_disabled
In https://github.com/systemd/systemd/issues/582 it is documented that
systemd could eventually replace FragmentPath=/dev/null (on masked
services) with the actual service path -- not the fully (symlink)
resolved path as is currently the case.
This matches the behavior currently seen in Ubuntu (all versions) and
RHEL 9/Fedora 34.
Per discussion with Gabriel, Matej, Richard, and Matt, it is best to
remove this check, especially since ActiveState=Masked suffices.
Resolves: #7280
Resolves: #7248
Signed-off-by: Alexander Scheel <alex.scheel@canonical.com>
---
shared/templates/service_disabled/oval.template | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/shared/templates/service_disabled/oval.template b/shared/templates/service_disabled/oval.template
index 33b52518307..e4ccb0566e7 100644
--- a/shared/templates/service_disabled/oval.template
+++ b/shared/templates/service_disabled/oval.template
@@ -13,7 +13,6 @@
<criteria operator="AND" comment="service {{{ SERVICENAME }}} is not configured to start">
<criterion comment="{{{ SERVICENAME }}} is not running" test_ref="test_service_not_running_{{{ SERVICENAME }}}" />
<criterion comment="Property LoadState of service {{{ SERVICENAME }}} is masked" test_ref="test_service_loadstate_is_masked_{{{ SERVICENAME }}}" />
- <criterion comment="Property FragmentPath of service {{{ SERVICENAME }}} is set to /dev/null" test_ref="test_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" />
</criteria>
</criteria>
</definition>
@@ -41,18 +40,6 @@
<linux:value>masked</linux:value>
</linux:systemdunitproperty_state>
- <linux:systemdunitproperty_test id="test_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" check="all" check_existence="any_exist" comment="Test that the property FragmentPath from the service {{{ SERVICENAME }}} is set to /dev/null" version="1">
- <linux:object object_ref="obj_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}"/>
- <linux:state state_ref="state_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}"/>
- </linux:systemdunitproperty_test>
- <linux:systemdunitproperty_object id="obj_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" comment="Retrieve the FragmentPath property of {{{ SERVICENAME }}}" version="1">
- <linux:unit operation="pattern match">^{{{ SERVICENAME }}}\.(service|socket)$</linux:unit>
- <linux:property>FragmentPath</linux:property>
- </linux:systemdunitproperty_object>
- <linux:systemdunitproperty_state id="state_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" version="1" comment="FragmentPath is set to /dev/null">
- <linux:value>/dev/null</linux:value>
- </linux:systemdunitproperty_state>
-
{{% else %}}
{{% if init_system != "systemd" %}}

60
scap-security-guide.spec
View File

@ -1,25 +1,25 @@
# SSG build system and tests count with build directory name `build`.
# For more details see:
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
%global _vpath_builddir build
Name: scap-security-guide
Version: 0.1.56
Release: 3%{?dist}
Version: 0.1.57
Release: 1%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
Patch1: scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch
Patch2: scap-security-guide-0.1.57-build-system-pr-7025.patch
Patch3: scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch
Patch4: scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch
Patch5: scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch
Patch6: scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch
Patch7: scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch
Patch8: scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch
Patch9: scap-security-guide-0.1.57-playbooks_per_rule-PR_7039.patch
BuildArch: noarch
Patch0: scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch
BuildRequires: libxslt
BuildRequires: expat
BuildRequires: openscap-scanner >= 1.2.5
BuildRequires: cmake >= 2.8
# To get python3 inside the buildroot require its path explicitly in BuildRequires
BuildRequires: /usr/bin/python3
BuildRequires: python%{python3_pkgversion}
BuildRequires: python%{python3_pkgversion}-jinja2
BuildRequires: python%{python3_pkgversion}-PyYAML
@ -46,7 +46,7 @@ The %{name}-doc package contains HTML formatted documents containing
hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package.
%if %{defined rhel}
%if ( %{defined rhel} && (! %{defined centos}) )
%package rule-playbooks
Summary: Ansible playbooks per each rule.
Group: System Environment/Base
@ -56,27 +56,21 @@ Requires: %{name} = %{version}-%{release}
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
%endif
# Temporarily needed to apply the profile stub patch (identifiers were sorted)
%global _default_patch_fuzz 1
%prep
%autosetup -p1
%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
%define cmake_defines_specific %{nil}
%if 0%{?rhel}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
%endif
%if 0%{?centos}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
%endif
mkdir -p build
%build
%cmake \
-DSSG_PRODUCT_DEFAULT=OFF \
-DSSG_PRODUCT_RHEL9=ON \
-DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF \
-DSSG_BASH_SCRIPTS_ENABLED=OFF \
%if %{defined centos}
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
%else
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
%endif
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
%if %{defined rhel}
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
%endif
-DSSG_BUILD_SCAP_12_DS=OFF
%cmake %{cmake_defines_common} %{cmake_defines_specific}
%cmake_build
%install
@ -90,7 +84,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%{_datadir}/%{name}/ansible/*.yml
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
%doc %{_docdir}/%{name}/LICENSE
%if %{defined rhel}
%if ( %{defined rhel} && (! %{defined centos}) )
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
%endif
@ -98,13 +92,17 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%doc %{_docdir}/%{name}/guides/*.html
%doc %{_docdir}/%{name}/tables/*.html
%if %{defined rhel}
%if ( %{defined rhel} && (! %{defined centos}) )
%files rule-playbooks
%defattr(-,root,root,-)
%{_datadir}/%{name}/ansible/rule_playbooks
%endif
%changelog
* Wed Jul 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
- Upgrade to the latest upstream release
- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts.
* Wed Jul 07 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-3
- Introduced the playbooks subpackage.
- Enabled CentOS content on CentOS systems.

2
sources
View File

@ -1 +1 @@
SHA512 (scap-security-guide-0.1.56.tar.bz2) = 1c876f1a8e03f3f68de8fd5a8fd020567f0eecb1fb8b9c9f754453c2f22278944f50d06c0f4e771020e2e25facf6cecb1044d3ddb12e531428ca5aacfec3c86c
SHA512 (scap-security-guide-0.1.57.tar.bz2) = e0f030445cc8c629f94be156581a3732abb104e2e5a57a92c64e7fa168b2107e60ee8edfcf8d715c339180317f09378317d031d575673b5384f16208528d66a2