rpms
/
scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import scap-security-guide-0.1.66-1.el9_1

This commit is contained in:
CentOS Sources 2023-03-28 12:03:36 +00:00 committed by Stepan Oksanichenko
parent 154613c37f
commit e6b9e29b70
17 changed files with 5495 additions and 5397 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/scap-security-guide-0.1.63.tar.bz2
SOURCES/scap-security-guide-0.1.66.tar.bz2

2
.scap-security-guide.metadata
View File

@ -1 +1 @@
b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2
fdef63150c650bc29c06eea0aba6092688ab60a9 SOURCES/scap-security-guide-0.1.66.tar.bz2

2093
SOURCES/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
View File

File diff suppressed because one or more lines are too long

90
SOURCES/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
View File

@ -1,90 +0,0 @@
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:15 +0200
Subject: [PATCH 1/4] fix ospp references
---
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
index c151d3c4aa1..f9b46c51ddd 100644
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
@@ -34,6 +34,7 @@ references:
disa: CCI-000213
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth
nist: AC-3
+ ospp: FIA_UAU.1,FIA_AFL.1
srg: SRG-OS-000480-GPOS-00227
ocil: |-
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:42 +0200
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
---
products/rhel9/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index b47630c62b0..dcc41970043 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -115,7 +115,7 @@ selections:
- coredump_disable_storage
- coredump_disable_backtraces
- service_systemd-coredump_disabled
- - var_authselect_profile=sssd
+ - var_authselect_profile=minimal
- enable_authselect
- use_pam_wheel_for_su
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:54 +0200
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
---
products/rhel8/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 39ad1797c7a..ebec8a3a6f9 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -220,7 +220,7 @@ selections:
- var_accounts_max_concurrent_login_sessions=10
- accounts_max_concurrent_login_sessions
- securetty_root_login_console_only
- - var_authselect_profile=sssd
+ - var_authselect_profile=minimal
- enable_authselect
- var_password_pam_unix_remember=5
- accounts_password_pam_unix_remember
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 13:55:05 +0200
Subject: [PATCH 4/4] update profile stability test
---
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 5d73a8c6fef..21e93e310d5 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -242,7 +242,7 @@ selections:
- var_slub_debug_options=P
- var_auditd_flush=incremental_async
- var_accounts_max_concurrent_login_sessions=10
-- var_authselect_profile=sssd
+- var_authselect_profile=minimal
- var_password_pam_unix_remember=5
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted

302
SOURCES/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
View File

@ -1,302 +0,0 @@
From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 Jul 2022 13:49:05 +0200
Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp
---
products/rhel9/profiles/ospp.profile | 3 ---
1 file changed, 3 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index dcc41970043..0902abf58db 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,10 +110,7 @@ selections:
- package_gnutls-utils_installed
### Login
- - disable_users_coredumps
- sysctl_kernel_core_pattern
- - coredump_disable_storage
- - coredump_disable_backtraces
- service_systemd-coredump_disabled
- var_authselect_profile=minimal
- enable_authselect
From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 12:17:27 +0200
Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL
actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template.
I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers.
---
shared/templates/sysctl/oval.template | 5 -----
1 file changed, 5 deletions(-)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 1a7c4979bbe..e0c6f72f928 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -17,13 +17,8 @@
{{% endif %}}
{{%- endmacro -%}}
{{%- macro sysctl_match() -%}}
-{{%- if SYSCTLVAL == "" -%}}
- <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-{{%- else -%}}
<ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-{{%- endif -%}}
{{%- endmacro -%}}
{{%- if "P" in FLAGS -%}}
From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 13:00:45 +0200
Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid
---
.../sysctl_kernel_core_uses_pid/rule.yml | 36 +++++++++++++++++++
2 files changed, 36 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
new file mode 100644
index 00000000000..7fa36fb940e
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Configure file name of core dumps'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
+
+rationale: |-
+ The default coredump filename is <pre>core</pre>. By setting
+ <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
+ <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
+ <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
+ <pre>.PID</pre> will be appended to the filename.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-86003-1
+
+references:
+ ospp: FMT_SMF_EXT.1
+
+ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+
+ocil: |-
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: kernel.core_uses_pid
+ datatype: int
+ sysctlval: '0'
From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 09:08:37 +0200
Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string
---
.../rule.yml | 49 +++++++++++++++++++
2 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
new file mode 100644
index 00000000000..089bb1481aa
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
@@ -0,0 +1,49 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Disable storing core dumps'
+
+description: |-
+ The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
+ name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
+ behaves differently based on another related option. If
+ <tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
+ <tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
+ created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
+ <tt>0</tt>, no coredump is saved.
+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
+
+rationale: |-
+ A core dump includes a memory image taken at the time the operating system
+ terminates an application. The memory image could contain sensitive data and is generally useful
+ only for developers trying to debug problems.
+
+severity: medium
+
+requires:
+ - sysctl_kernel_core_uses_pid
+
+conflicts:
+ - sysctl_kernel_core_pattern
+
+identifiers:
+ cce@rhel9: CCE-86005-6
+
+references:
+ ospp: FMT_SMF_EXT.1
+
+ocil_clause: |-
+ the returned line does not have a value of ''.
+
+ocil: |
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: kernel.core_pattern
+ sysctlval: "''"
+ datatype: string
From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 10:40:47 +0200
Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile
---
products/rhel9/profiles/ospp.profile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 0902abf58db..b1b18261d48 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,7 +110,8 @@ selections:
- package_gnutls-utils_installed
### Login
- - sysctl_kernel_core_pattern
+ - sysctl_kernel_core_pattern_empty_string
+ - sysctl_kernel_core_uses_pid
- service_systemd-coredump_disabled
- var_authselect_profile=minimal
- enable_authselect
From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 13:01:12 +0200
Subject: [PATCH 6/8] describe beneficial dependency between
sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid
---
.../sysctl_kernel_core_uses_pid/rule.yml | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
index 7fa36fb940e..d6d2c468c10 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps'
description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
rationale: |-
- The default coredump filename is <pre>core</pre>. By setting
- <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
- <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
- <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
- <pre>.PID</pre> will be appended to the filename.
+ The default coredump filename is <tt>core</tt>. By setting
+ <tt>core_uses_pid</tt> to <tt>1</tt>, the coredump filename becomes
+ <tt>core.PID</tt>. If <tt>core_pattern</tt> does not include
+ <tt>%p</tt> (default does not) and <tt>core_uses_pid</tt> is set, then
+ <tt>.PID</tt> will be appended to the filename.
+ When combined with <tt>kernel.core_pattern = ""</tt> configuration, it
+ is ensured that no core dumps are generated and also no confusing error
+ messages are printed by a shell.
severity: medium
From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 10:53:37 +0200
Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with
sysctl_kernel_core_pattern_empty_string
they are modifying the same configuration
---
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index 771c4d40e0f..c27a9e7ecf3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -13,6 +13,9 @@ rationale: |-
severity: medium
+conflicts:
+ - sysctl_kernel_core_pattern_empty_string
+
identifiers:
cce@rhcos4: CCE-82527-3
cce@rhel8: CCE-82215-5
From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 9 Aug 2022 16:43:20 +0200
Subject: [PATCH 8/8] fix ocils
---
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 5 ++++-
.../restrictions/sysctl_kernel_core_uses_pid/rule.yml | 4 ++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index c27a9e7ecf3..1a540ce20b3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -29,7 +29,10 @@ references:
stigid@ol8: OL08-00-010671
stigid@rhel8: RHEL-08-010671
-ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause: |-
+ the returned line does not have a value of "|/bin/false", or a line is not
+ returned and the need for core dumps is not documented with the Information
+ System Security Officer (ISSO) as an operational requirement
ocil: |
{{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
index d6d2c468c10..8f51f97c16c 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -24,10 +24,10 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
-ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause: 'the returned line does not have a value of 0'
ocil: |-
- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}
platform: machine

826
SOURCES/scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch
View File

@ -1,826 +0,0 @@
From 796d3630621847b478896ee4a773cdb605821882 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 18 Aug 2022 13:06:49 +0200
Subject: [PATCH 1/8] Create custom sysctl_kernel_core_pattern_empty_string
content.
---
.../ansible/shared.yml | 32 +++
.../bash/shared.sh | 60 +++++
.../oval/shared.xml | 221 ++++++++++++++++++
.../rule.yml | 23 +-
.../tests/correct_value.pass.sh | 10 +
.../tests/wrong_value.fail.sh | 10 +
.../tests/wrong_value_three_entries.fail.sh | 11 +
.../tests/wrong_value_two_entries.fail.sh | 10 +
products/rhel9/profiles/ospp.profile | 2 +-
9 files changed, 366 insertions(+), 13 deletions(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
new file mode 100644
index 00000000000..a6e7bf54b56
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
@@ -0,0 +1,32 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = disable
+# complexity = low
+# disruption = medium
+- name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ contains: ^[\s]*kernel.core_pattern.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
+ files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*kernel.core_pattern
+ replace: '#kernel.core_pattern'
+ loop: '{{ find_sysctl_d.files }}'
+- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
+ replace:
+ path: /etc/sysctl.conf
+ regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
+ replace: '#kernel.core_pattern'
+- name: Ensure sysctl kernel.core_pattern is set to empty
+ sysctl:
+ name: kernel.core_pattern
+ value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces
+ state: present
+ reload: true
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
new file mode 100644
index 00000000000..989987250bc
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
@@ -0,0 +1,60 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# reboot = true
+# strategy = disable
+# complexity = low
+# disruption = medium
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "kernel.core_pattern" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
+#
+# Set runtime for kernel.core_pattern
+#
+/sbin/sysctl -q -n -w kernel.core_pattern=""
+
+#
+# If kernel.core_pattern present in /etc/sysctl.conf, change value to empty
+# else, add "kernel.core_pattern =" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s=" "$stripped_key"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
new file mode 100644
index 00000000000..39654259dcb
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
@@ -0,0 +1,221 @@
+
+
+<def-group>
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string" version="3">
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
+ <criteria operator="AND">
+ <extend_definition comment="kernel.core_pattern configuration setting check"
+ definition_ref="sysctl_kernel_core_pattern_empty_string_static"/>
+ <extend_definition comment="kernel.core_pattern runtime setting check"
+ definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
+ </criteria>
+ </definition>
+</def-group><def-group>
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
+ <criteria operator="AND">
+ <criterion comment="kernel runtime parameter kernel.core_pattern set to an empty string"
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_runtime"/>
+ </criteria>
+ </definition>
+
+ <unix:sysctl_test id="test_sysctl_kernel_core_pattern_empty_string_runtime" version="1"
+ comment="kernel runtime parameter kernel.core_pattern set to an empty string"
+ check="all" check_existence="all_exist" state_operator="OR">
+ <unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
+
+ <unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
+
+ </unix:sysctl_test>
+
+ <unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
+ <unix:name>kernel.core_pattern</unix:name>
+ </unix:sysctl_object>
+
+
+ <unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
+
+ <unix:value datatype="string"
+ operation="equals"></unix:value>
+
+ </unix:sysctl_state>
+
+</def-group>
+<def-group>
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_static" version="3">
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.") }}}
+ <criteria operator="AND">
+ <criteria operator="OR">
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.conf"
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static"/>
+ <!-- see sysctl.d(5) -->
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.d/*.conf"
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
+
+ </criteria>
+
+ <criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
+ check="all" check_existence="all_exist"
+ comment="kernel.core_pattern static configuration" state_operator="OR">
+ <ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
+ comment="kernel.core_pattern static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
+ <ind:object object_ref="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld" version="1" check="all"
+ comment="kernel.core_pattern static configuration in /run/sysctl.d/*.conf" state_operator="OR">
+ <ind:object object_ref="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+
+ </ind:textfilecontent54_test>
+ <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_core_pattern"
+ id="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
+ <ind:object object_ref="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
+ <ind:state state_ref="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
+ </ind:variable_test>
+
+ <ind:variable_object id="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
+ <ind:var_ref>local_var_sysctl_kernel_core_pattern_empty_string_counter</ind:var_ref>
+ </ind:variable_object>
+
+ <ind:variable_state id="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
+ <ind:value operation="equals" datatype="int">1</ind:value>
+ </ind:variable_state>
+
+ <local_variable comment="Count unique sysctls" datatype="int" id="local_var_sysctl_kernel_core_pattern_empty_string_counter" version="1">
+ <count>
+ <unique>
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" item_field="filepath" />
+ </unique>
+ </count>
+ </local_variable>
+
+ <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" version="1">
+ <set>
+ <object_reference>object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered</object_reference>
+ <filter action="exclude">state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink</filter>
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink" version="1">
+ <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" datatype="string" />
+ </ind:textfilecontent54_state>
+
+ <!-- <no symlink handling> -->
+ <!-- We craft a variable with blank string to combine with the symlink paths found.
+ This ultimately avoids referencing a variable with "no values",
+ we reference a variable with a blank string -->
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" version="1">
+ <unique>
+ <object_component object_ref="var_object_symlink_sysctl_kernel_core_pattern_empty_string" item_field="value" />
+ </unique>
+ </local_variable>
+
+ <ind:variable_object id="var_object_symlink_sysctl_kernel_core_pattern_empty_string" comment="combine the blank string with symlink paths found" version="1">
+ <set>
+ <object_reference>var_obj_symlink_sysctl_kernel_core_pattern_empty_string</object_reference>
+ <object_reference>var_obj_blank_sysctl_kernel_core_pattern_empty_string</object_reference>
+ </set>
+ </ind:variable_object>
+
+ <ind:variable_object id="var_obj_blank_sysctl_kernel_core_pattern_empty_string" comment="variable object of the blank string" version="1">
+ <ind:var_ref>local_var_blank_path_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
+ </ind:variable_object>
+
+ <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_sysctl_kernel_core_pattern_empty_string" version="1">
+ <literal_component datatype="string"></literal_component>
+ </local_variable>
+
+ <ind:variable_object id="var_obj_symlink_sysctl_kernel_core_pattern_empty_string" comment="variable object of the symlinks found" version="1">
+ <ind:var_ref>local_var_symlinks_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
+ </ind:variable_object>
+ <!-- </no symlink handling> -->
+
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_sysctl_kernel_core_pattern_empty_string" version="1">
+ <unique>
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_symlinks" item_field="filepath" />
+ </unique>
+ </local_variable>
+
+ <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
+ Workaround by querying for all conf files found -->
+ <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_sysctl_kernel_core_pattern_empty_string_symlinks" version="1">
+ <unix:filepath operation="equals" var_ref="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" />
+ <filter action="exclude">state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string</filter>
+ </unix:symlink_object>
+
+ <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
+ ^/etc/sysctl.conf$
+ ^/etc/sysctl.d/.*$
+ ^/run/sysctl.d/.*$
+ ^/usr/lib/sysctl.d/.*$ -->
+ <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string" version="1">
+ <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
+ </unix:symlink_state>
+
+
+ <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
+ </local_variable>
+
+ <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
+ variable to have no value even when there are valid objects. -->
+ <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" version="1">
+ <set>
+ <object_reference>object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
+ <object_reference>object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
+ <set>
+ <object_reference>object_static_sysctl_sysctl_kernel_core_pattern_empty_string</object_reference>
+ <object_reference>object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
+ <set>
+ <object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
+
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_sysctl_sysctl_kernel_core_pattern_empty_string" version="1">
+ <ind:filepath>/etc/sysctl.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
+ <ind:path>/etc/sysctl.d</ind:path>
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
+ <ind:path>/run/sysctl.d</ind:path>
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
+
+ <ind:subexpression operation="equals" datatype="string"></ind:subexpression>
+
+ </ind:textfilecontent54_state>
+
+</def-group>
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
index dc21f53c98c..2babb28e361 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
@@ -1,18 +1,18 @@
documentation_complete: true
-prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+prodtype: rhel9
title: 'Disable storing core dumps'
description: |-
The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
- name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
+ name. It can be set to an empty string. In this case, the kernel
behaves differently based on another related option. If
<tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
<tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
<tt>0</tt>, no coredump is saved.
- {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="") }}}
rationale: |-
A core dump includes a memory image taken at the time the operating system
@@ -30,17 +30,16 @@ conflicts:
identifiers:
cce@rhel9: CCE-86005-6
+references:
+ ospp: FMT_SMF_EXT.1
+
ocil_clause: |-
- the returned line does not have a value of ''.
+ the returned line does not have an empty string
ocil: |
- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
+ The runtime status of the <code>kernel.core_pattern</code> kernel parameter can be queried
+ by running the following command:
+ <pre>$ sysctl kernel.core_pattern | cat -A</pre>
+ <code>kernel.core_pattern = $</code>
platform: machine
-
-template:
- name: sysctl
- vars:
- sysctlvar: kernel.core_pattern
- sysctlval: "''"
- datatype: string
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
new file mode 100644
index 00000000000..71f0f5db142
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..1c5fabcc136
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern="|/bin/false"
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
new file mode 100644
index 00000000000..e56e927ec56
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
new file mode 100644
index 00000000000..6c065b1e038
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 9fdd1354e38..b1b18261d48 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,7 +110,7 @@ selections:
- package_gnutls-utils_installed
### Login
- - sysctl_kernel_core_pattern
+ - sysctl_kernel_core_pattern_empty_string
- sysctl_kernel_core_uses_pid
- service_systemd-coredump_disabled
- var_authselect_profile=minimal
From a77abaf442d411fe7bc59e94a1c0330163e03a16 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 11:13:04 +0200
Subject: [PATCH 2/8] Make the conflicts attribute appblicable only to RHEL9.
The new rule empty is applicable only to RHEL9 and if there would not be
the restriction, then dangling references would be produced.
---
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index 1a540ce20b3..e369854060b 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -13,8 +13,10 @@ rationale: |-
severity: medium
+{{% if product in ["rhel9"] %}}
conflicts:
- sysctl_kernel_core_pattern_empty_string
+{{% endif %}}
identifiers:
cce@rhcos4: CCE-82527-3
From ec71ac98b89cc8295324c90b1610a5ff01126895 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 11:16:41 +0200
Subject: [PATCH 3/8] Switch bash remediation applicable to all products in
sysctl_kernel_core_pattern_empty_string.
---
.../sysctl_kernel_core_pattern_empty_string/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
index 989987250bc..9e84d41056d 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_all
# reboot = true
# strategy = disable
# complexity = low
From bac544446d3c5a1d87a2b4934cbb94ebc00d2ce9 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 11:23:04 +0200
Subject: [PATCH 4/8] Address feedback.
---
.../ansible/shared.yml | 3 +++
.../oval/shared.xml | 19 +++++--------------
2 files changed, 8 insertions(+), 14 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
index a6e7bf54b56..22a8d99dae8 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
@@ -12,6 +12,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
+
- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
files
replace:
@@ -19,11 +20,13 @@
regexp: ^[\s]*kernel.core_pattern
replace: '#kernel.core_pattern'
loop: '{{ find_sysctl_d.files }}'
+
- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
replace:
path: /etc/sysctl.conf
regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
replace: '#kernel.core_pattern'
+
- name: Ensure sysctl kernel.core_pattern is set to empty
sysctl:
name: kernel.core_pattern
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
index 39654259dcb..1c3bbfd9a3e 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
@@ -10,7 +10,9 @@
definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
</criteria>
</definition>
-</def-group><def-group>
+</def-group>
+
+<def-group>
<definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
{{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
<criteria operator="AND">
@@ -23,21 +25,15 @@
comment="kernel runtime parameter kernel.core_pattern set to an empty string"
check="all" check_existence="all_exist" state_operator="OR">
<unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
-
<unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
-
</unix:sysctl_test>
<unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
<unix:name>kernel.core_pattern</unix:name>
</unix:sysctl_object>
-
<unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
-
- <unix:value datatype="string"
- operation="equals"></unix:value>
-
+ <unix:value datatype="string" operation="equals"></unix:value>
</unix:sysctl_state>
</def-group>
@@ -53,18 +49,17 @@
test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
<criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
-
</criteria>
<criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
</criteria>
</definition>
+
<ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
check="all" check_existence="all_exist"
comment="kernel.core_pattern static configuration" state_operator="OR">
<ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
<ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
-
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
@@ -165,7 +160,6 @@
<unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
</unix:symlink_state>
-
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
<object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
</local_variable>
@@ -189,7 +183,6 @@
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
<set>
<object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
-
</set>
</ind:textfilecontent54_object>
@@ -213,9 +206,7 @@
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
-
<ind:subexpression operation="equals" datatype="string"></ind:subexpression>
-
</ind:textfilecontent54_state>
</def-group>
From 39bb8e75c95c469a4f6428664f24f7f9688ffa87 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 14:46:15 +0200
Subject: [PATCH 5/8] Fix test parse affected to support OVAL with multiple
def-group tags.
---
tests/test_parse_affected.py | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
index 8407794b972..947b56636c0 100755
--- a/tests/test_parse_affected.py
+++ b/tests/test_parse_affected.py
@@ -3,6 +3,7 @@
from __future__ import print_function
import os
+import re
import sys
import ssg.constants
@@ -73,19 +74,24 @@ def parse_affected(cur_dir, env_yaml):
if not xml_content:
continue
- oval_contents = ssg.utils.split_string_content(xml_content)
+ # split multiple def group into a list so multiple definitions in one OVAL also work
+ # this findall does not preserv the <def-group> tag but it's not necessary for the
+ # purpose of the test
+ xml_content_list = re.findall(r'<def-group>(.+?)</def-group>', xml_content, re.DOTALL)
+ for item in xml_content_list:
+ oval_contents = ssg.utils.split_string_content(item)
- try:
- results = ssg.oval.parse_affected(oval_contents)
+ try:
+ results = ssg.oval.parse_affected(oval_contents)
- assert len(results) == 3
- assert isinstance(results[0], int)
- assert isinstance(results[1], int)
+ assert len(results) == 3
+ assert isinstance(results[0], int)
+ assert isinstance(results[1], int)
- except ValueError as e:
- print("No <affected> element found in file {}. "
- " Parsed XML was:\n{}".format(oval, xml_content))
- raise e
+ except ValueError as e:
+ print("No <affected> element found in file {}. "
+ " Parsed XML was:\n{}".format(oval, item))
+ raise e
if __name__ == "__main__":
From 8d6176c1f96f983aaa0134d19cc66fd3c7b29e15 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 15:14:57 +0200
Subject: [PATCH 6/8] Fix ansible remediation to preserve old non compliant
values.
Comment out any offending line.
---
.../ansible/shared.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
index 22a8d99dae8..f4dc5110fee 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
@@ -24,8 +24,8 @@
- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
replace:
path: /etc/sysctl.conf
- regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
- replace: '#kernel.core_pattern'
+ regexp: '^[\s]*kernel.core_pattern([ \t]*=[ \t]*\S+)'
+ replace: '#kernel.core_pattern\1'
- name: Ensure sysctl kernel.core_pattern is set to empty
sysctl:
From c5bcea37000f54f3273d529237e02fe0979e6d6d Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 15:20:41 +0200
Subject: [PATCH 7/8] Fix PEP8 issue.
---
tests/test_parse_affected.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
index 947b56636c0..53690df5ce1 100755
--- a/tests/test_parse_affected.py
+++ b/tests/test_parse_affected.py
@@ -90,7 +90,7 @@ def parse_affected(cur_dir, env_yaml):
except ValueError as e:
print("No <affected> element found in file {}. "
- " Parsed XML was:\n{}".format(oval, item))
+ " Parsed XML was:\n{}".format(oval, item))
raise e
From 243347ad56fcd4f83f0b77e9b3b7fcd98d0d4acb Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 16:31:31 +0200
Subject: [PATCH 8/8] Add more test scenarios for
sysctl_kernel_core_pattern_empty_string.
---
.../tests/correct_value_with_spaces.pass.sh | 10 ++++++++++
.../tests/wrong_value_d_directory.fail.sh | 9 +++++++++
.../tests/wrong_value_runtime.fail.sh | 10 ++++++++++
3 files changed, 29 insertions(+)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
new file mode 100644
index 00000000000..b6688e6ca91
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern= " >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
new file mode 100644
index 00000000000..6c574b92762
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/98-sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
new file mode 100644
index 00000000000..8c729677b86
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern="|/bin/false"

47
SOURCES/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
View File

@ -1,47 +0,0 @@
From 21124e8524967788d4c95d47dd41259a0c7f958c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 20 Jul 2022 14:18:13 +0200
Subject: [PATCH] change remediations to include the "=" sign
---
.../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
.../crypto/configure_openssl_crypto_policy/bash/shared.sh | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
index c335a9e7fa2..852ca18cf79 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
@@ -20,7 +20,7 @@
lineinfile:
create: yes
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
- line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
+ line: ".include = /etc/crypto-policies/back-ends/opensslcnf.config"
path: {{{ openssl_cnf_path }}}
when:
- test_crypto_policy_group.stdout is defined
@@ -29,7 +29,7 @@
- name: "Add crypto_policy group and set include opensslcnf.config"
lineinfile:
create: yes
- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
+ line: "[crypto_policy]\n.include = /etc/crypto-policies/back-ends/opensslcnf.config"
path: {{{ openssl_cnf_path }}}
when:
- test_crypto_policy_group.stdout is defined
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
index 21edb780a2f..79eb5cff189 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
@@ -2,8 +2,8 @@
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config'
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
{{% if 'sle' in product %}}
{{% set openssl_cnf_path="/etc/ssl/openssl.cnf" %}}

29
SOURCES/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
View File

@ -1,29 +0,0 @@
From eef5cb155b9f820439ca32f993cebf1f68b29e80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 28 Jul 2022 15:08:15 +0200
Subject: [PATCH] Remove a confusing sentence
In the rule description, there are 2 conflicting sentences, they
both start by "By default ...", but they negate each other.
In fact, the second of them is true, so the first one could be
removed.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092799
---
.../accounts-physical/require_singleuser_auth/rule.yml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index 932d76c36d9..332712ea1dd 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -8,8 +8,7 @@ title: 'Require Authentication for Single User Mode'
description: |-
Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
- providing a boot option at startup. By default, no authentication
- is performed if single-user mode is selected.
+ providing a boot option at startup.
<br /><br />
By default, single-user mode is protected by requiring a password and is set
in <tt>/usr/lib/systemd/system/rescue.service</tt>.

48
SOURCES/scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch
View File

@ -1,48 +0,0 @@
From d76e93e697755e63d5c833747adef4af23c3256b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 22 Aug 2022 13:51:28 +0200
Subject: [PATCH 1/2] switch sysctl_kernel_core_pattern_empty_string for
sysctl_kernel_core_pattern
---
products/rhel9/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index b1b18261d48..9fdd1354e38 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,7 +110,7 @@ selections:
- package_gnutls-utils_installed
### Login
- - sysctl_kernel_core_pattern_empty_string
+ - sysctl_kernel_core_pattern
- sysctl_kernel_core_uses_pid
- service_systemd-coredump_disabled
- var_authselect_profile=minimal
From d304b9f0037bfac6e20b1365e0d320f714ce09a3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 22 Aug 2022 13:51:55 +0200
Subject: [PATCH 2/2] remove ospp reference from
sysctl_kernel_core_pattern_empty_string
---
.../sysctl_kernel_core_pattern_empty_string/rule.yml | 3 ---
1 file changed, 3 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
index 089bb1481aa..dc21f53c98c 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
@@ -30,9 +30,6 @@ conflicts:
identifiers:
cce@rhel9: CCE-86005-6
-references:
- ospp: FMT_SMF_EXT.1
-
ocil_clause: |-
the returned line does not have a value of ''.

60
SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch
View File

@ -1,60 +0,0 @@
From be2aba89ab61767fd301ee1ac4f4e64bf5a66887 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 11 Aug 2022 16:53:48 +0200
Subject: [PATCH] add 4 rules back to RHEL9 datastream
---
.../services/kerberos/package_krb5-server_removed/rule.yml | 2 +-
.../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +-
.../guide/services/obsolete/nis/package_ypserv_removed/rule.yml | 2 +-
.../system-tools/package_krb5-workstation_removed/rule.yml | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
index 78577046409..17d742d9692 100644
--- a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
+++ b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8
+prodtype: ol7,ol8,rhel7,rhel8,rhel9
title: 'Remove the Kerberos Server Package'
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
index d8a3910ff4d..9be95ffed5c 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
+prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
title: 'Remove NIS Client'
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
index ee7ccb2d8da..0f7ad7c0431 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
title: 'Uninstall ypserv Package'
diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
index 7a02459825d..4750fd6b266 100644
--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8
+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9
title: 'Uninstall krb5-workstation Package'

1888
SOURCES/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
View File

File diff suppressed because it is too large Load Diff

106
SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch Normal file
View File

@ -0,0 +1,106 @@
From a8cea205d5f9f975ca03ef39e79d18698236cfe2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 13 Feb 2023 17:49:14 +0100
Subject: [PATCH 3/5] Change custom zones check in firewalld_sshd_port_enabled
Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
Patch-status: Change custom zones check in firewalld_sshd_port_enabled
---
.../oval/shared.xml | 68 +++++++++++++++----
1 file changed, 54 insertions(+), 14 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
index 4adef2e53f..d7c96665b4 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
@@ -133,9 +133,10 @@
OVAL resources in order to detect and assess only active zone, which are zones with at
least one NIC assigned to it. Since it was possible to easily have the list of active
zones, it was cumbersome to use that list in other OVAL objects without introduce a high
- level of complexity to make sure environments with multiple NICs and multiple zones are
- in use. So, in favor of simplicity and readbility it was decided to work with a static
- list. It means that, in the future, it is possible this list needs to be updated. -->
+ level of complexity to ensure proper assessment in environments where multiple NICs and
+ multiple zones are in use. So, in favor of simplicity and readbility it was decided to
+ work with a static list. It means that, in the future, it is possible this list needs to
+ be updated. -->
<local_variable id="var_firewalld_sshd_port_enabled_default_zones" version="1"
datatype="string"
comment="Regex containing the list of zones files delivered in the firewalld package">
@@ -145,23 +146,62 @@
<!-- If any default zone is modified by the administrator, the respective zone file is placed
in the /etc/firewalld/zones dir in order to override the default zone settings. The same
directory is applicable for new zones created by the administrator. Therefore, all files
- in this directory should also allow SSH. -->
- <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
+ in this directory should also allow SSH.
+ This test was updated in a reaction to https://github.com/OpenSCAP/openscap/issues/1923,
+ which changed the behaviour of xmlfilecontent probe in OpenSCAP 1.3.7. Currently, a
+ variable test is the simplest way to check if all custom zones are allowing ssh, but have
+ an impact in transparency since the objects are not shown in reports. The transparency
+ impact can be workarounded by using other OVAL objects, but this would impact in
+ readability and would increase complexity. This solution is in favor of simplicity. -->
+ <ind:variable_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
check="all" check_existence="at_least_one_exists" version="1"
comment="SSH service is defined in all zones created or modified by the administrator">
- <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
- <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>
- </ind:xmlfilecontent_test>
+ <ind:object
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"/>
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_custom_zone_files_count"/>
+ </ind:variable_test>
+
+ <ind:variable_object id="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
+ version="1">
+ <ind:var_ref>var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count</ind:var_ref>
+ </ind:variable_object>
+
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
+ datatype="int" version="1"
+ comment="Variable including number of custom zone files allowing ssh">
+ <count>
+ <object_component item_field="filepath"
+ object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
+ </count>
+ </local_variable>
<ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">
- <ind:path>/etc/firewalld/zones</ind:path>
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
+ <ind:path>/etc/firewalld/zones</ind:path>
+ <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
</ind:xmlfilecontent_object>
- <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
- </ind:xmlfilecontent_state>
+ <ind:variable_state id="state_firewalld_sshd_port_enabled_custom_zone_files_count"
+ version="1">
+ <ind:value datatype="int" operation="equals" var_check="at least one"
+ var_ref="var_firewalld_sshd_port_enabled_custom_zone_files_count"/>
+ </ind:variable_state>
+
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_count"
+ datatype="int" version="1"
+ comment="Variable including number of custom zone files present in /etc/firewalld/zones">
+ <count>
+ <object_component item_field="filepath"
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files"/>
+ </count>
+ </local_variable>
+
+ <unix:file_object id="object_firewalld_sshd_port_enabled_custom_zone_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
+ recurse_file_system="local"/>
+ <unix:path>/etc/firewalld/zones</unix:path>
+ <unix:filename operation="pattern match">^.*\.xml$</unix:filename>
+ </unix:file_object>
<!-- SSH service is configured as expected -->
<!-- The firewalld package brings many services already defined out-of-box, including SSH.
--
2.39.1

122
SOURCES/scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch Normal file
View File

@ -0,0 +1,122 @@
From 25216f8eb9caa6e783322158967b689e8bd784e7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 13 Feb 2023 17:49:14 +0100
Subject: [PATCH 4/5] Accept required and requisite control flag for
pam_pwhistory
Patch-name: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
Patch-status: Accept required and requisite control flag for pam_pwhistory
---
controls/cis_rhel8.yml | 2 +-
controls/cis_rhel9.yml | 2 +-
controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml | 2 +-
.../rule.yml | 4 ++++
.../var_password_pam_remember_control_flag.var | 1 +
products/rhel8/profiles/stig.profile | 2 +-
tests/data/profile_stability/rhel8/stig.profile | 2 +-
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
8 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index c0406f97b8..efc53d03fd 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2267,7 +2267,7 @@ controls:
rules:
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- var_password_pam_remember=5
- id: 5.5.4
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
index 7299a39528..30f7e8d182 100644
--- a/controls/cis_rhel9.yml
+++ b/controls/cis_rhel9.yml
@@ -2112,7 +2112,7 @@ controls:
rules:
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- var_password_pam_remember=5
- id: 5.5.4
diff --git a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
index 1e8286a4a4..b02b7da419 100644
--- a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
+++ b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
@@ -5,7 +5,7 @@ controls:
title: {{{ full_name }}} must prohibit password reuse for a minimum of five generations.
rules:
- var_password_pam_remember=5
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
status: automated
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
index c549de2e96..d2b220ef9f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
@@ -129,3 +129,7 @@ warnings:
Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly
enable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your
system, an authselect custom profile must be used to avoid integrity issues in PAM files.
+ If a custom profile was created and used in the system before this authselect feature was
+ available, the new feature can't be used with this custom profile and the
+ remediation will fail. In this case, the custom profile should be recreated or manually
+ updated.
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
index 8f01007550..1959936c04 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
@@ -20,4 +20,5 @@ options:
"sufficient": "sufficient"
"binding": "binding"
"ol8": "required,requisite"
+ "requisite_or_required": "requisite,required"
default: "requisite"
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 8c64868619..a3f7dc9720 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -37,7 +37,7 @@ selections:
- var_accounts_minimum_age_login_defs=1
- var_accounts_max_concurrent_login_sessions=10
- var_password_pam_remember=5
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- var_password_pam_unix_rounds=5000
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 6970a32b4f..5d694c6ae1 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -433,7 +433,7 @@ selections:
- var_accounts_minimum_age_login_defs=1
- var_accounts_max_concurrent_login_sessions=10
- var_password_pam_remember=5
-- var_password_pam_remember_control_flag=requisite
+- var_password_pam_remember_control_flag=requisite_or_required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- var_password_pam_unix_rounds=5000
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 314f14e4f6..e165525b90 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -441,7 +441,7 @@ selections:
- var_accounts_minimum_age_login_defs=1
- var_accounts_max_concurrent_login_sessions=10
- var_password_pam_remember=5
-- var_password_pam_remember_control_flag=requisite
+- var_password_pam_remember_control_flag=requisite_or_required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- var_password_pam_unix_rounds=5000
--
2.39.1

147
SOURCES/scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch Normal file
View File

@ -0,0 +1,147 @@
From 2bfdf9fa7e8309b079e657460671818e77b9a233 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 13 Feb 2023 17:49:15 +0100
Subject: [PATCH 5/5] remove rule logind_session_timeout and associated
variable from profiles
Patch-name: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
Patch-status: remove rule logind_session_timeout and associated variable from profiles
---
controls/anssi.yml | 2 --
products/rhel8/profiles/cjis.profile | 2 --
products/rhel8/profiles/ospp.profile | 2 --
products/rhel8/profiles/pci-dss.profile | 2 --
products/rhel8/profiles/rht-ccp.profile | 2 --
tests/data/profile_stability/rhel8/ospp.profile | 2 --
tests/data/profile_stability/rhel8/pci-dss.profile | 2 --
7 files changed, 14 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 607ce976ef..9e631d1de4 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -676,8 +676,6 @@ controls:
- var_accounts_tmout=10_min
- sshd_set_idle_timeout
- sshd_idle_timeout_value=10_minutes
- - logind_session_timeout
- - var_logind_session_timeout=10_minutes
- sshd_set_keepalive
- id: R30
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
index 22ae5aac72..30843b692e 100644
--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
@@ -104,7 +104,6 @@ selections:
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
- - logind_session_timeout
- sshd_set_keepalive_0
- disable_host_auth
- sshd_disable_root_login
@@ -120,7 +119,6 @@ selections:
- set_firewalld_default_zone
- firewalld_sshd_port_enabled
- sshd_idle_timeout_value=30_minutes
- - var_logind_session_timeout=30_minutes
- inactivity_timeout_value=30_minutes
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_tcp_syncookies
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 0fe17b2085..fb46ab4c0c 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -300,8 +300,6 @@ selections:
## We deliberately set sshd timeout to 1 minute before tmux lock timeout
- sshd_idle_timeout_value=14_minutes
- sshd_set_idle_timeout
- - logind_session_timeout
- - var_logind_session_timeout=14_minutes
## Disable Unauthenticated Login (such as Guest Accounts)
## FIA_UAU.1
diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
index c63c5f4a07..c0c9b12773 100644
--- a/products/rhel8/profiles/pci-dss.profile
+++ b/products/rhel8/profiles/pci-dss.profile
@@ -17,7 +17,6 @@ selections:
- var_accounts_passwords_pam_faillock_deny=6
- var_accounts_passwords_pam_faillock_unlock_time=1800
- sshd_idle_timeout_value=15_minutes
- - var_logind_session_timeout=15_minutes
- var_password_pam_minlen=7
- var_password_pam_minclass=2
- var_accounts_maximum_age_login_defs=90
@@ -110,7 +109,6 @@ selections:
- dconf_gnome_screensaver_lock_enabled
- dconf_gnome_screensaver_mode_blank
- sshd_set_idle_timeout
- - logind_session_timeout
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- accounts_password_pam_minlen
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index 6856951bff..01133a9bde 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -12,7 +12,6 @@ selections:
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- sshd_idle_timeout_value=5_minutes
- - var_logind_session_timeout=5_minutes
- var_accounts_minimum_age_login_defs=7
- var_accounts_passwords_pam_faillock_deny=5
- var_accounts_password_warn_age_login_defs=7
@@ -89,7 +88,6 @@ selections:
- package_telnet_removed
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- - logind_session_timeout
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- disable_host_auth
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index a31f3245d8..267b66a4f8 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -104,7 +104,6 @@ selections:
- kernel_module_firewire-core_disabled
- kernel_module_sctp_disabled
- kernel_module_tipc_disabled
-- logind_session_timeout
- mount_option_boot_nodev
- mount_option_boot_nosuid
- mount_option_dev_shm_nodev
@@ -254,7 +253,6 @@ selections:
- var_password_pam_ucredit=1
- var_password_pam_lcredit=1
- sshd_idle_timeout_value=14_minutes
-- var_logind_session_timeout=14_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
- var_accounts_passwords_pam_faillock_unlock_time=never
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
index 5c77ea6a85..902d0084fc 100644
--- a/tests/data/profile_stability/rhel8/pci-dss.profile
+++ b/tests/data/profile_stability/rhel8/pci-dss.profile
@@ -109,7 +109,6 @@ selections:
- gid_passwd_group_same
- grub2_audit_argument
- install_hids
-- logind_session_timeout
- no_empty_passwords
- package_aide_installed
- package_audispd-plugins_installed
@@ -137,7 +136,6 @@ selections:
- var_accounts_passwords_pam_faillock_deny=6
- var_accounts_passwords_pam_faillock_unlock_time=1800
- sshd_idle_timeout_value=15_minutes
-- var_logind_session_timeout=15_minutes
- var_password_pam_minlen=7
- var_password_pam_minclass=2
- var_accounts_maximum_age_login_defs=90
--
2.39.1

3148
SOURCES/scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1950
SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch Normal file
View File

File diff suppressed because it is too large Load Diff

32
SPECS/scap-security-guide.spec
View File

@ -5,24 +5,24 @@
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide
Version: 0.1.63
Release: 5%{?dist}
Version: 0.1.66
Release: 1%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Rsyslog files rules remediations
Patch1: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch
# Extends rsyslog_logfiles_attributes_modify template for permissions
Patch2: scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch
# Change custom zones check in firewalld_sshd_port_enabled
Patch3: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
# Accept required and requisite control flag for pam_pwhistory
Patch4: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
# remove rule logind_session_timeout and associated variable from profiles
Patch5: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
BuildArch: noarch
Patch0: scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
Patch1: scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
Patch2: scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
Patch3: scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
Patch4: scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
Patch5: scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
Patch6: scap-security-guide-0.1.64-readd_rules-PR_9334.patch
Patch7: scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch
Patch8: scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch
BuildRequires: libxslt
BuildRequires: expat
BuildRequires: openscap-scanner >= 1.2.5
@ -108,6 +108,14 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif
%changelog
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
- Rebase to a new upstream release 0.1.66 (RHBZ#2169443)
- Fix remediation of audit watch rules (RHBZ#2169441)
- Fix check firewalld_sshd_port_enabled (RHBZ#2169443)
- Fix accepted control flags for pam_pwhistory (RHBZ#2169443)
- Unselect rule logind_session_timeout (RHBZ#2169443)
- Add support rainer scripts in rsyslog rules (RHBZ#2169445)
* Thu Aug 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.63-5
- OSPP: fix rule related to coredump (RHBZ#2081688)