From e12200a0bbd2acd766ec2d58a68be0776b3fa914 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Fri, 13 Oct 2023 14:53:50 +0000 Subject: [PATCH] Fix AlmaLinux patch --- ...-guide-0.1.69-add-almalinux9-product.patch | 622 +++++++++--------- 1 file changed, 311 insertions(+), 311 deletions(-) diff --git a/SOURCES/scap-security-guide-0.1.69-add-almalinux9-product.patch b/SOURCES/scap-security-guide-0.1.69-add-almalinux9-product.patch index f943cd4..2b08ce3 100644 --- a/SOURCES/scap-security-guide-0.1.69-add-almalinux9-product.patch +++ b/SOURCES/scap-security-guide-0.1.69-add-almalinux9-product.patch @@ -26198,357 +26198,357 @@ index 061ac2bac..aac521349 100644 export superusers diff --git a/shared/references/disa-stig-rhel7-v3r12-xccdf-scap.xml b/shared/references/disa-stig-rhel7-v3r12-xccdf-scap.xml -index 6aec0d608..54669e9f5 100644 +index 6c1f3f917..726bbd515 100644 --- a/shared/references/disa-stig-rhel7-v3r12-xccdf-scap.xml +++ b/shared/references/disa-stig-rhel7-v3r12-xccdf-scap.xml @@ -3228,7 +3228,7 @@ Confirm password: - SV-95719 - V-81007 - CCI-000213 -- Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. -+ Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. - - Generate an encrypted grub2 password for the grub superusers account with the following command: - + SV-95719 + V-81007 + CCI-000213 +- Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. ++ Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. + + Generate an encrypted grub2 password for the grub superusers account with the following command: + @@ -4005,7 +4005,7 @@ On BIOS-based machines, use the following command: - - On UEFI-based machines, use the following command: - --# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg -+# grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg - - If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: - + + On UEFI-based machines, use the following command: + +-# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg ++# grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg + + If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: + @@ -7538,6 +7538,7 @@ Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ - - multi_platform_fedora - multi_platform_rhel -+multi_platform_almalinux - multi_platform_rhel-osp - - The prelinking feature can interfere with the operation of + + multi_platform_fedora + multi_platform_rhel ++multi_platform_almalinux + multi_platform_rhel-osp + + The prelinking feature can interfere with the operation of @@ -7569,6 +7570,7 @@ Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ - Package openssh-server Removed - - multi_platform_rhel -+multi_platform_almalinux - multi_platform_fedora - multi_platform_sle - + Package openssh-server Removed + + multi_platform_rhel ++multi_platform_almalinux + multi_platform_fedora + multi_platform_sle + @@ -8340,6 +8342,7 @@ Password complexity is one factor of several that determines how long it takes t - Limit Password Reuse - - multi_platform_rhel -+multi_platform_almalinux - multi_platform_fedora - - The passwords to remember should be set correctly. + Limit Password Reuse + + multi_platform_rhel ++multi_platform_almalinux + multi_platform_fedora + + The passwords to remember should be set correctly. @@ -8356,6 +8359,7 @@ Password complexity is one factor of several that determines how long it takes t - RHEL-07-040160 - The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. - - multi_platform_rhel -+multi_platform_almalinux - - Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. - + RHEL-07-040160 - The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. + + multi_platform_rhel ++multi_platform_almalinux + + Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. + @@ -8413,6 +8417,7 @@ Terminating network connections associated with communications sessions includes - RHEL-07-030410 - The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod and fchmodat syscalls. - - multi_platform_rhel -+multi_platform_almalinux - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - + RHEL-07-030410 - The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod and fchmodat syscalls. + + multi_platform_rhel ++multi_platform_almalinux + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + @@ -8469,6 +8474,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - RHEL-07-030370 - The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat and lchown syscalls. - - multi_platform_rhel -+multi_platform_almalinux - - - + RHEL-07-030370 - The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat and lchown syscalls. + + multi_platform_rhel ++multi_platform_almalinux + + + @@ -8515,6 +8521,7 @@ When a user logs on, the auid is set to the uid of the account that is being aut - RHEL-07-030440 - The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr and lremovexattr syscalls. - - multi_platform_rhel -+multi_platform_almalinux - - - + RHEL-07-030440 - The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr and lremovexattr syscalls. + + multi_platform_rhel ++multi_platform_almalinux + + + @@ -9612,6 +9619,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Disable Host-Based Authentication - - multi_platform_rhel -+multi_platform_almalinux - - SSH host-based authentication should be disabled. - + Disable Host-Based Authentication + + multi_platform_rhel ++multi_platform_almalinux + + SSH host-based authentication should be disabled. + @@ -9627,6 +9635,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Package prelink Removed - - multi_platform_rhel -+multi_platform_almalinux - - The RPM package prelink should be removed. - + Package prelink Removed + + multi_platform_rhel ++multi_platform_almalinux + + The RPM package prelink should be removed. + @@ -9770,6 +9779,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Mount Remote Filesystems with nosuid - - multi_platform_rhel -+multi_platform_almalinux - - - + Mount Remote Filesystems with nosuid + + multi_platform_rhel ++multi_platform_almalinux + + + @@ -9800,6 +9810,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Package net-snmp Removed - - multi_platform_rhel -+multi_platform_almalinux - - The RPM package net-snmp should be removed. - + Package net-snmp Removed + + multi_platform_rhel ++multi_platform_almalinux + + The RPM package net-snmp should be removed. + @@ -9827,6 +9838,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Package telnet-server Removed - - multi_platform_rhel -+multi_platform_almalinux - - The RPM package telnet-server should be removed. - + Package telnet-server Removed + + multi_platform_rhel ++multi_platform_almalinux + + The RPM package telnet-server should be removed. + @@ -9855,6 +9867,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Package vsftpd Removed - - multi_platform_rhel -+multi_platform_almalinux - - The RPM package vsftpd should be removed. - + Package vsftpd Removed + + multi_platform_rhel ++multi_platform_almalinux + + The RPM package vsftpd should be removed. + @@ -9868,6 +9881,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Package xorg-x11-server-common Removed - - multi_platform_rhel -+multi_platform_almalinux - multi_platform_fedora - - + Package xorg-x11-server-common Removed + + multi_platform_rhel ++multi_platform_almalinux + multi_platform_fedora + + @@ -9897,6 +9911,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Ensure /home Located On Separate Partition - - multi_platform_rhel -+multi_platform_almalinux - - If user home directories will be stored locally, create a - separate partition for /home. If /home will be mounted from another + Ensure /home Located On Separate Partition + + multi_platform_rhel ++multi_platform_almalinux + + If user home directories will be stored locally, create a + separate partition for /home. If /home will be mounted from another @@ -9915,6 +9930,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Ensure /var Located On Separate Partition - - multi_platform_rhel -+multi_platform_almalinux - - - + Ensure /var Located On Separate Partition + + multi_platform_rhel ++multi_platform_almalinux + + + @@ -9933,6 +9949,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Ensure /var/log/audit Located On Separate Partition - - multi_platform_rhel -+multi_platform_almalinux - - - + Ensure /var/log/audit Located On Separate Partition + + multi_platform_rhel ++multi_platform_almalinux + + + @@ -9952,6 +9969,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - - multi_platform_fedora - multi_platform_rhel -+multi_platform_almalinux - - Verify the RPM digests of system binaries using the RPM database. - + + multi_platform_fedora + multi_platform_rhel ++multi_platform_almalinux + + Verify the RPM digests of system binaries using the RPM database. + @@ -10026,6 +10044,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Ensure Only Protocol 2 Connections Allowed - - multi_platform_rhel -+multi_platform_almalinux - multi_platform_debian - multi_platform_ubuntu - + Ensure Only Protocol 2 Connections Allowed + + multi_platform_rhel ++multi_platform_almalinux + multi_platform_debian + multi_platform_ubuntu + @@ -10062,6 +10081,7 @@ The system call rules are loaded into a matching engine that intercepts each sys - Disable .rhosts Files - - multi_platform_rhel -+multi_platform_almalinux - - - + Disable .rhosts Files + + multi_platform_rhel ++multi_platform_almalinux + + + @@ -10127,6 +10147,7 @@ This should be disabled. - Do Not Allow Users to Set Environment Options - - multi_platform_rhel -+multi_platform_almalinux - - PermitUserEnvironment should be disabled - + Do Not Allow Users to Set Environment Options + + multi_platform_rhel ++multi_platform_almalinux + + PermitUserEnvironment should be disabled + @@ -10476,6 +10497,7 @@ By specifying a cipher list with the order of ciphers being in a "strongest to w - Package openssh-server is version 7.4 or higher - - multi_platform_rhel -+multi_platform_almalinux - multi_platform_fedora - multi_platform_sle - + Package openssh-server is version 7.4 or higher + + multi_platform_rhel ++multi_platform_almalinux + multi_platform_fedora + multi_platform_sle + @@ -10712,12 +10734,12 @@ The ability to enable/disable a session lock is given to the user by default. Di - The UEFI grub2 boot loader should have password protection enabled. - - -- -+ - -- -+ - -- -- -+ -+ - - - + The UEFI grub2 boot loader should have password protection enabled. + + +- ++ + +- ++ + +- +- ++ ++ + + + @@ -11662,7 +11684,7 @@ This requirement addresses concurrent sessions for information system accounts a - - - -- -+ - - - + + + +- ++ + + + @@ -12191,10 +12213,10 @@ This requirement addresses concurrent sessions for information system accounts a - - - -- -+ - - -- -+ - - - + + + +- ++ + + +- ++ + + + @@ -13639,7 +13661,7 @@ This requirement addresses concurrent sessions for information system accounts a - /boot/grub2/grub.cfg - - -- /boot/efi/EFI/redhat/grub.cfg -+ /boot/efi/EFI/almalinux/grub.cfg - - - + /boot/grub2/grub.cfg + + +- /boot/efi/EFI/redhat/grub.cfg ++ /boot/efi/EFI/almalinux/grub.cfg + + + @@ -14441,12 +14463,12 @@ This requirement addresses concurrent sessions for information system accounts a - 1 - - -- /boot/efi/EFI/redhat/user.cfg -+ /boot/efi/EFI/almalinux/user.cfg - ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512\.\S+$ - 1 - - -- /boot/efi/EFI/redhat/grub.cfg -+ /boot/efi/EFI/almalinux/grub.cfg - ^[\s]*set[\s]+superusers=\"\S+\"$ - 1 - + 1 + + +- /boot/efi/EFI/redhat/user.cfg ++ /boot/efi/EFI/almalinux/user.cfg + ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512\.\S+$ + 1 + + +- /boot/efi/EFI/redhat/grub.cfg ++ /boot/efi/EFI/almalinux/grub.cfg + ^[\s]*set[\s]+superusers=\"\S+\"$ + 1 + @@ -15022,7 +15044,7 @@ This requirement addresses concurrent sessions for information system accounts a - - - /boot/grub2/grub.cfg -- /boot/efi/EFI/redhat/grub.cfg -+ /boot/efi/EFI/almalinux/grub.cfg - - - /etc/sysctl.d + + + /boot/grub2/grub.cfg +- /boot/efi/EFI/redhat/grub.cfg ++ /boot/efi/EFI/almalinux/grub.cfg + + + /etc/sysctl.d diff --git a/shared/references/disa-stig-rhel8-v1r10-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r10-xccdf-scap.xml -index b417e7fec..ebaf26f52 100644 +index a6e6e2c0b..6352e2e24 100644 --- a/shared/references/disa-stig-rhel8-v1r10-xccdf-scap.xml +++ b/shared/references/disa-stig-rhel8-v1r10-xccdf-scap.xml @@ -2549,7 +2549,7 @@ SHA_CRYPT_MIN_ROUNDS 5000 - 2921 - - CCI-000213 -- Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. -+ Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. - - Generate an encrypted grub2 password for the grub superusers account with the following command: - + 2921 + + CCI-000213 +- Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. ++ Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/almalinux/user.cfg file. + + Generate an encrypted grub2 password for the grub superusers account with the following command: + @@ -10026,11 +10026,11 @@ Passwords need to be protected at all times, and encryption is the standard meth - - If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. - -- -- -+ -+ - -- -- -+ -+ - - - + + If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + +- +- ++ ++ + +- +- ++ ++ + + + @@ -10696,7 +10696,7 @@ Configuration settings are the set of parameters that can be changed in hardware - The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - - -- -+ - - - + The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + + +- ++ + + + @@ -14092,15 +14092,15 @@ By limiting the number of attempts to meet the pwquality module complexity requi - - - -- -+ - - - -- -+ - - - -- -+ - - - + + + +- ++ + + + +- ++ + + + +- ++ + + + @@ -15677,18 +15677,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi - ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\b - 1 - -- -- /boot/efi/EFI/redhat/grub.cfg -+ -+ /boot/efi/EFI/almalinux/grub.cfg - ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$ - 1 - -- -- /boot/efi/EFI/redhat/user.cfg -+ -+ /boot/efi/EFI/almalinux/user.cfg - ^\s*GRUB2_PASSWORD=(\S+)\b - 1 - -- -- /boot/efi/EFI/redhat/grub.cfg -+ -+ /boot/efi/EFI/almalinux/grub.cfg - - - /boot/grub2/grub.cfg + ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\b + 1 + +- +- /boot/efi/EFI/redhat/grub.cfg ++ ++ /boot/efi/EFI/almalinux/grub.cfg + ^\s*set\s+superusers\s*=\s*"(\w+)"\s*$ + 1 + +- +- /boot/efi/EFI/redhat/user.cfg ++ ++ /boot/efi/EFI/almalinux/user.cfg + ^\s*GRUB2_PASSWORD=(\S+)\b + 1 + +- +- /boot/efi/EFI/redhat/grub.cfg ++ ++ /boot/efi/EFI/almalinux/grub.cfg + + + /boot/grub2/grub.cfg diff --git a/shared/references/disa-stig-rhel8-v1r11-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r11-xccdf-manual.xml index 747e322d8..2fd54a056 100644 --- a/shared/references/disa-stig-rhel8-v1r11-xccdf-manual.xml