Compare commits
No commits in common. "c8" and "a9-beta" have entirely different histories.
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,3 +1 @@
|
|||||||
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
SOURCES/scap-security-guide-0.1.63.tar.bz2
|
||||||
SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
|
|
||||||
SOURCES/scap-security-guide-0.1.75.tar.bz2
|
|
||||||
|
@ -1,3 +1 @@
|
|||||||
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2
|
||||||
17274daaa588330aa4df9a4d8df5ef448e40a696 SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
|
|
||||||
96a8823bf638cd2c656deb431686f74da8084694 SOURCES/scap-security-guide-0.1.75.tar.bz2
|
|
||||||
|
26599
SOURCES/0001-Add-AlmaLinux-9-support.patch
Normal file
26599
SOURCES/0001-Add-AlmaLinux-9-support.patch
Normal file
File diff suppressed because it is too large
Load Diff
File diff suppressed because one or more lines are too long
@ -0,0 +1,90 @@
|
|||||||
|
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 11:45:15 +0200
|
||||||
|
Subject: [PATCH 1/4] fix ospp references
|
||||||
|
|
||||||
|
---
|
||||||
|
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||||
|
index c151d3c4aa1..f9b46c51ddd 100644
|
||||||
|
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||||
|
@@ -34,6 +34,7 @@ references:
|
||||||
|
disa: CCI-000213
|
||||||
|
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth
|
||||||
|
nist: AC-3
|
||||||
|
+ ospp: FIA_UAU.1,FIA_AFL.1
|
||||||
|
srg: SRG-OS-000480-GPOS-00227
|
||||||
|
|
||||||
|
ocil: |-
|
||||||
|
|
||||||
|
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 11:45:42 +0200
|
||||||
|
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel9/profiles/ospp.profile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||||
|
index b47630c62b0..dcc41970043 100644
|
||||||
|
--- a/products/rhel9/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||||||
|
@@ -115,7 +115,7 @@ selections:
|
||||||
|
- coredump_disable_storage
|
||||||
|
- coredump_disable_backtraces
|
||||||
|
- service_systemd-coredump_disabled
|
||||||
|
- - var_authselect_profile=sssd
|
||||||
|
+ - var_authselect_profile=minimal
|
||||||
|
- enable_authselect
|
||||||
|
- use_pam_wheel_for_su
|
||||||
|
|
||||||
|
|
||||||
|
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 11:45:54 +0200
|
||||||
|
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel8/profiles/ospp.profile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||||
|
index 39ad1797c7a..ebec8a3a6f9 100644
|
||||||
|
--- a/products/rhel8/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel8/profiles/ospp.profile
|
||||||
|
@@ -220,7 +220,7 @@ selections:
|
||||||
|
- var_accounts_max_concurrent_login_sessions=10
|
||||||
|
- accounts_max_concurrent_login_sessions
|
||||||
|
- securetty_root_login_console_only
|
||||||
|
- - var_authselect_profile=sssd
|
||||||
|
+ - var_authselect_profile=minimal
|
||||||
|
- enable_authselect
|
||||||
|
- var_password_pam_unix_remember=5
|
||||||
|
- accounts_password_pam_unix_remember
|
||||||
|
|
||||||
|
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 13:55:05 +0200
|
||||||
|
Subject: [PATCH 4/4] update profile stability test
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
index 5d73a8c6fef..21e93e310d5 100644
|
||||||
|
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
@@ -242,7 +242,7 @@ selections:
|
||||||
|
- var_slub_debug_options=P
|
||||||
|
- var_auditd_flush=incremental_async
|
||||||
|
- var_accounts_max_concurrent_login_sessions=10
|
||||||
|
-- var_authselect_profile=sssd
|
||||||
|
+- var_authselect_profile=minimal
|
||||||
|
- var_password_pam_unix_remember=5
|
||||||
|
- var_selinux_state=enforcing
|
||||||
|
- var_selinux_policy_name=targeted
|
@ -0,0 +1,302 @@
|
|||||||
|
From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 27 Jul 2022 13:49:05 +0200
|
||||||
|
Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel9/profiles/ospp.profile | 3 ---
|
||||||
|
1 file changed, 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||||
|
index dcc41970043..0902abf58db 100644
|
||||||
|
--- a/products/rhel9/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||||||
|
@@ -110,10 +110,7 @@ selections:
|
||||||
|
- package_gnutls-utils_installed
|
||||||
|
|
||||||
|
### Login
|
||||||
|
- - disable_users_coredumps
|
||||||
|
- sysctl_kernel_core_pattern
|
||||||
|
- - coredump_disable_storage
|
||||||
|
- - coredump_disable_backtraces
|
||||||
|
- service_systemd-coredump_disabled
|
||||||
|
- var_authselect_profile=minimal
|
||||||
|
- enable_authselect
|
||||||
|
|
||||||
|
From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 12:17:27 +0200
|
||||||
|
Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL
|
||||||
|
|
||||||
|
actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template.
|
||||||
|
I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers.
|
||||||
|
---
|
||||||
|
shared/templates/sysctl/oval.template | 5 -----
|
||||||
|
1 file changed, 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
|
||||||
|
index 1a7c4979bbe..e0c6f72f928 100644
|
||||||
|
--- a/shared/templates/sysctl/oval.template
|
||||||
|
+++ b/shared/templates/sysctl/oval.template
|
||||||
|
@@ -17,13 +17,8 @@
|
||||||
|
{{% endif %}}
|
||||||
|
{{%- endmacro -%}}
|
||||||
|
{{%- macro sysctl_match() -%}}
|
||||||
|
-{{%- if SYSCTLVAL == "" -%}}
|
||||||
|
- <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
|
||||||
|
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
-{{%- else -%}}
|
||||||
|
<ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
|
||||||
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
-{{%- endif -%}}
|
||||||
|
{{%- endmacro -%}}
|
||||||
|
{{%- if "P" in FLAGS -%}}
|
||||||
|
|
||||||
|
|
||||||
|
From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 13:00:45 +0200
|
||||||
|
Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid
|
||||||
|
|
||||||
|
---
|
||||||
|
.../sysctl_kernel_core_uses_pid/rule.yml | 36 +++++++++++++++++++
|
||||||
|
2 files changed, 36 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..7fa36fb940e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
@@ -0,0 +1,36 @@
|
||||||
|
+documentation_complete: true
|
||||||
|
+
|
||||||
|
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
|
||||||
|
+
|
||||||
|
+title: 'Configure file name of core dumps'
|
||||||
|
+
|
||||||
|
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
|
||||||
|
+
|
||||||
|
+rationale: |-
|
||||||
|
+ The default coredump filename is <pre>core</pre>. By setting
|
||||||
|
+ <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
|
||||||
|
+ <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
|
||||||
|
+ <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
|
||||||
|
+ <pre>.PID</pre> will be appended to the filename.
|
||||||
|
+
|
||||||
|
+severity: medium
|
||||||
|
+
|
||||||
|
+identifiers:
|
||||||
|
+ cce@rhel9: CCE-86003-1
|
||||||
|
+
|
||||||
|
+references:
|
||||||
|
+ ospp: FMT_SMF_EXT.1
|
||||||
|
+
|
||||||
|
+ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
|
||||||
|
+
|
||||||
|
+ocil: |-
|
||||||
|
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
|
||||||
|
+
|
||||||
|
+platform: machine
|
||||||
|
+
|
||||||
|
+template:
|
||||||
|
+ name: sysctl
|
||||||
|
+ vars:
|
||||||
|
+ sysctlvar: kernel.core_uses_pid
|
||||||
|
+ datatype: int
|
||||||
|
+ sysctlval: '0'
|
||||||
|
|
||||||
|
From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 09:08:37 +0200
|
||||||
|
Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string
|
||||||
|
|
||||||
|
---
|
||||||
|
.../rule.yml | 49 +++++++++++++++++++
|
||||||
|
2 files changed, 49 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..089bb1481aa
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
@@ -0,0 +1,49 @@
|
||||||
|
+documentation_complete: true
|
||||||
|
+
|
||||||
|
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
|
||||||
|
+
|
||||||
|
+title: 'Disable storing core dumps'
|
||||||
|
+
|
||||||
|
+description: |-
|
||||||
|
+ The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
|
||||||
|
+ name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
|
||||||
|
+ behaves differently based on another related option. If
|
||||||
|
+ <tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
|
||||||
|
+ <tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
|
||||||
|
+ created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
|
||||||
|
+ <tt>0</tt>, no coredump is saved.
|
||||||
|
+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
|
||||||
|
+
|
||||||
|
+rationale: |-
|
||||||
|
+ A core dump includes a memory image taken at the time the operating system
|
||||||
|
+ terminates an application. The memory image could contain sensitive data and is generally useful
|
||||||
|
+ only for developers trying to debug problems.
|
||||||
|
+
|
||||||
|
+severity: medium
|
||||||
|
+
|
||||||
|
+requires:
|
||||||
|
+ - sysctl_kernel_core_uses_pid
|
||||||
|
+
|
||||||
|
+conflicts:
|
||||||
|
+ - sysctl_kernel_core_pattern
|
||||||
|
+
|
||||||
|
+identifiers:
|
||||||
|
+ cce@rhel9: CCE-86005-6
|
||||||
|
+
|
||||||
|
+references:
|
||||||
|
+ ospp: FMT_SMF_EXT.1
|
||||||
|
+
|
||||||
|
+ocil_clause: |-
|
||||||
|
+ the returned line does not have a value of ''.
|
||||||
|
+
|
||||||
|
+ocil: |
|
||||||
|
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
|
||||||
|
+
|
||||||
|
+platform: machine
|
||||||
|
+
|
||||||
|
+template:
|
||||||
|
+ name: sysctl
|
||||||
|
+ vars:
|
||||||
|
+ sysctlvar: kernel.core_pattern
|
||||||
|
+ sysctlval: "''"
|
||||||
|
+ datatype: string
|
||||||
|
|
||||||
|
From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 10:40:47 +0200
|
||||||
|
Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel9/profiles/ospp.profile | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||||
|
index 0902abf58db..b1b18261d48 100644
|
||||||
|
--- a/products/rhel9/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||||||
|
@@ -110,7 +110,8 @@ selections:
|
||||||
|
- package_gnutls-utils_installed
|
||||||
|
|
||||||
|
### Login
|
||||||
|
- - sysctl_kernel_core_pattern
|
||||||
|
+ - sysctl_kernel_core_pattern_empty_string
|
||||||
|
+ - sysctl_kernel_core_uses_pid
|
||||||
|
- service_systemd-coredump_disabled
|
||||||
|
- var_authselect_profile=minimal
|
||||||
|
- enable_authselect
|
||||||
|
|
||||||
|
From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 13:01:12 +0200
|
||||||
|
Subject: [PATCH 6/8] describe beneficial dependency between
|
||||||
|
sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid
|
||||||
|
|
||||||
|
---
|
||||||
|
.../sysctl_kernel_core_uses_pid/rule.yml | 13 ++++++++-----
|
||||||
|
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
index 7fa36fb940e..d6d2c468c10 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps'
|
||||||
|
description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
|
||||||
|
|
||||||
|
rationale: |-
|
||||||
|
- The default coredump filename is <pre>core</pre>. By setting
|
||||||
|
- <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
|
||||||
|
- <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
|
||||||
|
- <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
|
||||||
|
- <pre>.PID</pre> will be appended to the filename.
|
||||||
|
+ The default coredump filename is <tt>core</tt>. By setting
|
||||||
|
+ <tt>core_uses_pid</tt> to <tt>1</tt>, the coredump filename becomes
|
||||||
|
+ <tt>core.PID</tt>. If <tt>core_pattern</tt> does not include
|
||||||
|
+ <tt>%p</tt> (default does not) and <tt>core_uses_pid</tt> is set, then
|
||||||
|
+ <tt>.PID</tt> will be appended to the filename.
|
||||||
|
+ When combined with <tt>kernel.core_pattern = ""</tt> configuration, it
|
||||||
|
+ is ensured that no core dumps are generated and also no confusing error
|
||||||
|
+ messages are printed by a shell.
|
||||||
|
|
||||||
|
severity: medium
|
||||||
|
|
||||||
|
|
||||||
|
From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 10:53:37 +0200
|
||||||
|
Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with
|
||||||
|
sysctl_kernel_core_pattern_empty_string
|
||||||
|
|
||||||
|
they are modifying the same configuration
|
||||||
|
---
|
||||||
|
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
index 771c4d40e0f..c27a9e7ecf3 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
@@ -13,6 +13,9 @@ rationale: |-
|
||||||
|
|
||||||
|
severity: medium
|
||||||
|
|
||||||
|
+conflicts:
|
||||||
|
+ - sysctl_kernel_core_pattern_empty_string
|
||||||
|
+
|
||||||
|
identifiers:
|
||||||
|
cce@rhcos4: CCE-82527-3
|
||||||
|
cce@rhel8: CCE-82215-5
|
||||||
|
|
||||||
|
From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Tue, 9 Aug 2022 16:43:20 +0200
|
||||||
|
Subject: [PATCH 8/8] fix ocils
|
||||||
|
|
||||||
|
---
|
||||||
|
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 5 ++++-
|
||||||
|
.../restrictions/sysctl_kernel_core_uses_pid/rule.yml | 4 ++--
|
||||||
|
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
index c27a9e7ecf3..1a540ce20b3 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
@@ -29,7 +29,10 @@ references:
|
||||||
|
stigid@ol8: OL08-00-010671
|
||||||
|
stigid@rhel8: RHEL-08-010671
|
||||||
|
|
||||||
|
-ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
|
||||||
|
+ocil_clause: |-
|
||||||
|
+ the returned line does not have a value of "|/bin/false", or a line is not
|
||||||
|
+ returned and the need for core dumps is not documented with the Information
|
||||||
|
+ System Security Officer (ISSO) as an operational requirement
|
||||||
|
|
||||||
|
ocil: |
|
||||||
|
{{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}}
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
index d6d2c468c10..8f51f97c16c 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
@@ -24,10 +24,10 @@ identifiers:
|
||||||
|
references:
|
||||||
|
ospp: FMT_SMF_EXT.1
|
||||||
|
|
||||||
|
-ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
|
||||||
|
+ocil_clause: 'the returned line does not have a value of 0'
|
||||||
|
|
||||||
|
ocil: |-
|
||||||
|
- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
|
||||||
|
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}
|
||||||
|
|
||||||
|
platform: machine
|
||||||
|
|
@ -0,0 +1,826 @@
|
|||||||
|
From 796d3630621847b478896ee4a773cdb605821882 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 18 Aug 2022 13:06:49 +0200
|
||||||
|
Subject: [PATCH 1/8] Create custom sysctl_kernel_core_pattern_empty_string
|
||||||
|
content.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../ansible/shared.yml | 32 +++
|
||||||
|
.../bash/shared.sh | 60 +++++
|
||||||
|
.../oval/shared.xml | 221 ++++++++++++++++++
|
||||||
|
.../rule.yml | 23 +-
|
||||||
|
.../tests/correct_value.pass.sh | 10 +
|
||||||
|
.../tests/wrong_value.fail.sh | 10 +
|
||||||
|
.../tests/wrong_value_three_entries.fail.sh | 11 +
|
||||||
|
.../tests/wrong_value_two_entries.fail.sh | 10 +
|
||||||
|
products/rhel9/profiles/ospp.profile | 2 +-
|
||||||
|
9 files changed, 366 insertions(+), 13 deletions(-)
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..a6e7bf54b56
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
@@ -0,0 +1,32 @@
|
||||||
|
+# platform = multi_platform_all
|
||||||
|
+# reboot = true
|
||||||
|
+# strategy = disable
|
||||||
|
+# complexity = low
|
||||||
|
+# disruption = medium
|
||||||
|
+- name: List /etc/sysctl.d/*.conf files
|
||||||
|
+ find:
|
||||||
|
+ paths:
|
||||||
|
+ - /etc/sysctl.d/
|
||||||
|
+ - /run/sysctl.d/
|
||||||
|
+ contains: ^[\s]*kernel.core_pattern.*$
|
||||||
|
+ patterns: '*.conf'
|
||||||
|
+ file_type: any
|
||||||
|
+ register: find_sysctl_d
|
||||||
|
+- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
|
||||||
|
+ files
|
||||||
|
+ replace:
|
||||||
|
+ path: '{{ item.path }}'
|
||||||
|
+ regexp: ^[\s]*kernel.core_pattern
|
||||||
|
+ replace: '#kernel.core_pattern'
|
||||||
|
+ loop: '{{ find_sysctl_d.files }}'
|
||||||
|
+- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
|
||||||
|
+ replace:
|
||||||
|
+ path: /etc/sysctl.conf
|
||||||
|
+ regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
|
||||||
|
+ replace: '#kernel.core_pattern'
|
||||||
|
+- name: Ensure sysctl kernel.core_pattern is set to empty
|
||||||
|
+ sysctl:
|
||||||
|
+ name: kernel.core_pattern
|
||||||
|
+ value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces
|
||||||
|
+ state: present
|
||||||
|
+ reload: true
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..989987250bc
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
@@ -0,0 +1,60 @@
|
||||||
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||||
|
+# reboot = true
|
||||||
|
+# strategy = disable
|
||||||
|
+# complexity = low
|
||||||
|
+# disruption = medium
|
||||||
|
+# Remediation is applicable only in certain platforms
|
||||||
|
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
|
||||||
|
+
|
||||||
|
+# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files
|
||||||
|
+
|
||||||
|
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
|
||||||
|
+
|
||||||
|
+ matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq )
|
||||||
|
+ if ! test -z "$matching_list"; then
|
||||||
|
+ while IFS= read -r entry; do
|
||||||
|
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
|
||||||
|
+ # comment out "kernel.core_pattern" matches to preserve user data
|
||||||
|
+ sed -i "s/^${escaped_entry}$/# &/g" $f
|
||||||
|
+ done <<< "$matching_list"
|
||||||
|
+ fi
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Set runtime for kernel.core_pattern
|
||||||
|
+#
|
||||||
|
+/sbin/sysctl -q -n -w kernel.core_pattern=""
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# If kernel.core_pattern present in /etc/sysctl.conf, change value to empty
|
||||||
|
+# else, add "kernel.core_pattern =" to /etc/sysctl.conf
|
||||||
|
+#
|
||||||
|
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
|
||||||
|
+# Otherwise, regular sed command will do.
|
||||||
|
+sed_command=('sed' '-i')
|
||||||
|
+if test -L "/etc/sysctl.conf"; then
|
||||||
|
+ sed_command+=('--follow-symlinks')
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+# Strip any search characters in the key arg so that the key can be replaced without
|
||||||
|
+# adding any search characters to the config file.
|
||||||
|
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern")
|
||||||
|
+
|
||||||
|
+# shellcheck disable=SC2059
|
||||||
|
+printf -v formatted_output "%s=" "$stripped_key"
|
||||||
|
+
|
||||||
|
+# If the key exists, change it. Otherwise, add it to the config_file.
|
||||||
|
+# We search for the key string followed by a word boundary (matched by \>),
|
||||||
|
+# so if we search for 'setting', 'setting2' won't match.
|
||||||
|
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then
|
||||||
|
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
|
||||||
|
+ "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
|
||||||
|
+else
|
||||||
|
+ # \n is precaution for case where file ends without trailing newline
|
||||||
|
+
|
||||||
|
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+else
|
||||||
|
+ >&2 echo 'Remediation is not applicable, nothing was done'
|
||||||
|
+fi
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..39654259dcb
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
@@ -0,0 +1,221 @@
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+<def-group>
|
||||||
|
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string" version="3">
|
||||||
|
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
|
||||||
|
+ <criteria operator="AND">
|
||||||
|
+ <extend_definition comment="kernel.core_pattern configuration setting check"
|
||||||
|
+ definition_ref="sysctl_kernel_core_pattern_empty_string_static"/>
|
||||||
|
+ <extend_definition comment="kernel.core_pattern runtime setting check"
|
||||||
|
+ definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
+ </criteria>
|
||||||
|
+ </definition>
|
||||||
|
+</def-group><def-group>
|
||||||
|
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
|
||||||
|
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
|
||||||
|
+ <criteria operator="AND">
|
||||||
|
+ <criterion comment="kernel runtime parameter kernel.core_pattern set to an empty string"
|
||||||
|
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
+ </criteria>
|
||||||
|
+ </definition>
|
||||||
|
+
|
||||||
|
+ <unix:sysctl_test id="test_sysctl_kernel_core_pattern_empty_string_runtime" version="1"
|
||||||
|
+ comment="kernel runtime parameter kernel.core_pattern set to an empty string"
|
||||||
|
+ check="all" check_existence="all_exist" state_operator="OR">
|
||||||
|
+ <unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
+
|
||||||
|
+ <unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
+
|
||||||
|
+ </unix:sysctl_test>
|
||||||
|
+
|
||||||
|
+ <unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||||
|
+ <unix:name>kernel.core_pattern</unix:name>
|
||||||
|
+ </unix:sysctl_object>
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ <unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||||
|
+
|
||||||
|
+ <unix:value datatype="string"
|
||||||
|
+ operation="equals"></unix:value>
|
||||||
|
+
|
||||||
|
+ </unix:sysctl_state>
|
||||||
|
+
|
||||||
|
+</def-group>
|
||||||
|
+<def-group>
|
||||||
|
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_static" version="3">
|
||||||
|
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.") }}}
|
||||||
|
+ <criteria operator="AND">
|
||||||
|
+ <criteria operator="OR">
|
||||||
|
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.conf"
|
||||||
|
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static"/>
|
||||||
|
+ <!-- see sysctl.d(5) -->
|
||||||
|
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.d/*.conf"
|
||||||
|
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
|
||||||
|
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
|
||||||
|
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
|
||||||
|
+
|
||||||
|
+ </criteria>
|
||||||
|
+
|
||||||
|
+ <criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||||
|
+ </criteria>
|
||||||
|
+ </definition>
|
||||||
|
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
|
||||||
|
+ check="all" check_existence="all_exist"
|
||||||
|
+ comment="kernel.core_pattern static configuration" state_operator="OR">
|
||||||
|
+ <ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+
|
||||||
|
+ </ind:textfilecontent54_test>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
|
||||||
|
+ comment="kernel.core_pattern static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
|
||||||
|
+ <ind:object object_ref="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+
|
||||||
|
+ </ind:textfilecontent54_test>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld" version="1" check="all"
|
||||||
|
+ comment="kernel.core_pattern static configuration in /run/sysctl.d/*.conf" state_operator="OR">
|
||||||
|
+ <ind:object object_ref="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+
|
||||||
|
+ </ind:textfilecontent54_test>
|
||||||
|
+ <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_core_pattern"
|
||||||
|
+ id="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
|
||||||
|
+ <ind:object object_ref="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||||
|
+ <ind:state state_ref="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||||
|
+ </ind:variable_test>
|
||||||
|
+
|
||||||
|
+ <ind:variable_object id="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
|
||||||
|
+ <ind:var_ref>local_var_sysctl_kernel_core_pattern_empty_string_counter</ind:var_ref>
|
||||||
|
+ </ind:variable_object>
|
||||||
|
+
|
||||||
|
+ <ind:variable_state id="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
|
||||||
|
+ <ind:value operation="equals" datatype="int">1</ind:value>
|
||||||
|
+ </ind:variable_state>
|
||||||
|
+
|
||||||
|
+ <local_variable comment="Count unique sysctls" datatype="int" id="local_var_sysctl_kernel_core_pattern_empty_string_counter" version="1">
|
||||||
|
+ <count>
|
||||||
|
+ <unique>
|
||||||
|
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" item_field="filepath" />
|
||||||
|
+ </unique>
|
||||||
|
+ </count>
|
||||||
|
+ </local_variable>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" version="1">
|
||||||
|
+ <set>
|
||||||
|
+ <object_reference>object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered</object_reference>
|
||||||
|
+ <filter action="exclude">state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink</filter>
|
||||||
|
+ </set>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_state id="state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink" version="1">
|
||||||
|
+ <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" datatype="string" />
|
||||||
|
+ </ind:textfilecontent54_state>
|
||||||
|
+
|
||||||
|
+ <!-- <no symlink handling> -->
|
||||||
|
+ <!-- We craft a variable with blank string to combine with the symlink paths found.
|
||||||
|
+ This ultimately avoids referencing a variable with "no values",
|
||||||
|
+ we reference a variable with a blank string -->
|
||||||
|
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" version="1">
|
||||||
|
+ <unique>
|
||||||
|
+ <object_component object_ref="var_object_symlink_sysctl_kernel_core_pattern_empty_string" item_field="value" />
|
||||||
|
+ </unique>
|
||||||
|
+ </local_variable>
|
||||||
|
+
|
||||||
|
+ <ind:variable_object id="var_object_symlink_sysctl_kernel_core_pattern_empty_string" comment="combine the blank string with symlink paths found" version="1">
|
||||||
|
+ <set>
|
||||||
|
+ <object_reference>var_obj_symlink_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ <object_reference>var_obj_blank_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ </set>
|
||||||
|
+ </ind:variable_object>
|
||||||
|
+
|
||||||
|
+ <ind:variable_object id="var_obj_blank_sysctl_kernel_core_pattern_empty_string" comment="variable object of the blank string" version="1">
|
||||||
|
+ <ind:var_ref>local_var_blank_path_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
|
||||||
|
+ </ind:variable_object>
|
||||||
|
+
|
||||||
|
+ <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <literal_component datatype="string"></literal_component>
|
||||||
|
+ </local_variable>
|
||||||
|
+
|
||||||
|
+ <ind:variable_object id="var_obj_symlink_sysctl_kernel_core_pattern_empty_string" comment="variable object of the symlinks found" version="1">
|
||||||
|
+ <ind:var_ref>local_var_symlinks_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
|
||||||
|
+ </ind:variable_object>
|
||||||
|
+ <!-- </no symlink handling> -->
|
||||||
|
+
|
||||||
|
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <unique>
|
||||||
|
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_symlinks" item_field="filepath" />
|
||||||
|
+ </unique>
|
||||||
|
+ </local_variable>
|
||||||
|
+
|
||||||
|
+ <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
|
||||||
|
+ Workaround by querying for all conf files found -->
|
||||||
|
+ <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_sysctl_kernel_core_pattern_empty_string_symlinks" version="1">
|
||||||
|
+ <unix:filepath operation="equals" var_ref="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" />
|
||||||
|
+ <filter action="exclude">state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string</filter>
|
||||||
|
+ </unix:symlink_object>
|
||||||
|
+
|
||||||
|
+ <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
|
||||||
|
+ ^/etc/sysctl.conf$
|
||||||
|
+ ^/etc/sysctl.d/.*$
|
||||||
|
+ ^/run/sysctl.d/.*$
|
||||||
|
+ ^/usr/lib/sysctl.d/.*$ -->
|
||||||
|
+ <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
|
||||||
|
+ </unix:symlink_state>
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
|
||||||
|
+ </local_variable>
|
||||||
|
+
|
||||||
|
+ <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
|
||||||
|
+ variable to have no value even when there are valid objects. -->
|
||||||
|
+ <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" version="1">
|
||||||
|
+ <set>
|
||||||
|
+ <object_reference>object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ <object_reference>object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ </set>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <set>
|
||||||
|
+ <object_reference>object_static_sysctl_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ <object_reference>object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ </set>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <set>
|
||||||
|
+ <object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+
|
||||||
|
+ </set>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_static_sysctl_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <ind:filepath>/etc/sysctl.conf</ind:filepath>
|
||||||
|
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
|
||||||
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <ind:path>/etc/sysctl.d</ind:path>
|
||||||
|
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||||
|
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
|
||||||
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <ind:path>/run/sysctl.d</ind:path>
|
||||||
|
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||||
|
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
|
||||||
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+ <ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+
|
||||||
|
+ <ind:subexpression operation="equals" datatype="string"></ind:subexpression>
|
||||||
|
+
|
||||||
|
+ </ind:textfilecontent54_state>
|
||||||
|
+
|
||||||
|
+</def-group>
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
index dc21f53c98c..2babb28e361 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
@@ -1,18 +1,18 @@
|
||||||
|
documentation_complete: true
|
||||||
|
|
||||||
|
-prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
|
||||||
|
+prodtype: rhel9
|
||||||
|
|
||||||
|
title: 'Disable storing core dumps'
|
||||||
|
|
||||||
|
description: |-
|
||||||
|
The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
|
||||||
|
- name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
|
||||||
|
+ name. It can be set to an empty string. In this case, the kernel
|
||||||
|
behaves differently based on another related option. If
|
||||||
|
<tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
|
||||||
|
<tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
|
||||||
|
created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
|
||||||
|
<tt>0</tt>, no coredump is saved.
|
||||||
|
- {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
|
||||||
|
+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="") }}}
|
||||||
|
|
||||||
|
rationale: |-
|
||||||
|
A core dump includes a memory image taken at the time the operating system
|
||||||
|
@@ -30,17 +30,16 @@ conflicts:
|
||||||
|
identifiers:
|
||||||
|
cce@rhel9: CCE-86005-6
|
||||||
|
|
||||||
|
+references:
|
||||||
|
+ ospp: FMT_SMF_EXT.1
|
||||||
|
+
|
||||||
|
ocil_clause: |-
|
||||||
|
- the returned line does not have a value of ''.
|
||||||
|
+ the returned line does not have an empty string
|
||||||
|
|
||||||
|
ocil: |
|
||||||
|
- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
|
||||||
|
+ The runtime status of the <code>kernel.core_pattern</code> kernel parameter can be queried
|
||||||
|
+ by running the following command:
|
||||||
|
+ <pre>$ sysctl kernel.core_pattern | cat -A</pre>
|
||||||
|
+ <code>kernel.core_pattern = $</code>
|
||||||
|
|
||||||
|
platform: machine
|
||||||
|
-
|
||||||
|
-template:
|
||||||
|
- name: sysctl
|
||||||
|
- vars:
|
||||||
|
- sysctlvar: kernel.core_pattern
|
||||||
|
- sysctlval: "''"
|
||||||
|
- datatype: string
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..71f0f5db142
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern=""
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..1c5fabcc136
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern="|/bin/false"
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..e56e927ec56
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
|
||||||
|
@@ -0,0 +1,11 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern=""
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..6c065b1e038
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern=""
|
||||||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||||
|
index 9fdd1354e38..b1b18261d48 100644
|
||||||
|
--- a/products/rhel9/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||||||
|
@@ -110,7 +110,7 @@ selections:
|
||||||
|
- package_gnutls-utils_installed
|
||||||
|
|
||||||
|
### Login
|
||||||
|
- - sysctl_kernel_core_pattern
|
||||||
|
+ - sysctl_kernel_core_pattern_empty_string
|
||||||
|
- sysctl_kernel_core_uses_pid
|
||||||
|
- service_systemd-coredump_disabled
|
||||||
|
- var_authselect_profile=minimal
|
||||||
|
|
||||||
|
From a77abaf442d411fe7bc59e94a1c0330163e03a16 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 11:13:04 +0200
|
||||||
|
Subject: [PATCH 2/8] Make the conflicts attribute appblicable only to RHEL9.
|
||||||
|
|
||||||
|
The new rule empty is applicable only to RHEL9 and if there would not be
|
||||||
|
the restriction, then dangling references would be produced.
|
||||||
|
---
|
||||||
|
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
index 1a540ce20b3..e369854060b 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
@@ -13,8 +13,10 @@ rationale: |-
|
||||||
|
|
||||||
|
severity: medium
|
||||||
|
|
||||||
|
+{{% if product in ["rhel9"] %}}
|
||||||
|
conflicts:
|
||||||
|
- sysctl_kernel_core_pattern_empty_string
|
||||||
|
+{{% endif %}}
|
||||||
|
|
||||||
|
identifiers:
|
||||||
|
cce@rhcos4: CCE-82527-3
|
||||||
|
|
||||||
|
From ec71ac98b89cc8295324c90b1610a5ff01126895 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 11:16:41 +0200
|
||||||
|
Subject: [PATCH 3/8] Switch bash remediation applicable to all products in
|
||||||
|
sysctl_kernel_core_pattern_empty_string.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../sysctl_kernel_core_pattern_empty_string/bash/shared.sh | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
index 989987250bc..9e84d41056d 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||||
|
+# platform = multi_platform_all
|
||||||
|
# reboot = true
|
||||||
|
# strategy = disable
|
||||||
|
# complexity = low
|
||||||
|
|
||||||
|
From bac544446d3c5a1d87a2b4934cbb94ebc00d2ce9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 11:23:04 +0200
|
||||||
|
Subject: [PATCH 4/8] Address feedback.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../ansible/shared.yml | 3 +++
|
||||||
|
.../oval/shared.xml | 19 +++++--------------
|
||||||
|
2 files changed, 8 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
index a6e7bf54b56..22a8d99dae8 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
@@ -12,6 +12,7 @@
|
||||||
|
patterns: '*.conf'
|
||||||
|
file_type: any
|
||||||
|
register: find_sysctl_d
|
||||||
|
+
|
||||||
|
- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
|
||||||
|
files
|
||||||
|
replace:
|
||||||
|
@@ -19,11 +20,13 @@
|
||||||
|
regexp: ^[\s]*kernel.core_pattern
|
||||||
|
replace: '#kernel.core_pattern'
|
||||||
|
loop: '{{ find_sysctl_d.files }}'
|
||||||
|
+
|
||||||
|
- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
|
||||||
|
replace:
|
||||||
|
path: /etc/sysctl.conf
|
||||||
|
regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
|
||||||
|
replace: '#kernel.core_pattern'
|
||||||
|
+
|
||||||
|
- name: Ensure sysctl kernel.core_pattern is set to empty
|
||||||
|
sysctl:
|
||||||
|
name: kernel.core_pattern
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
index 39654259dcb..1c3bbfd9a3e 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
@@ -10,7 +10,9 @@
|
||||||
|
definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
</criteria>
|
||||||
|
</definition>
|
||||||
|
-</def-group><def-group>
|
||||||
|
+</def-group>
|
||||||
|
+
|
||||||
|
+<def-group>
|
||||||
|
<definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
|
||||||
|
{{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
|
||||||
|
<criteria operator="AND">
|
||||||
|
@@ -23,21 +25,15 @@
|
||||||
|
comment="kernel runtime parameter kernel.core_pattern set to an empty string"
|
||||||
|
check="all" check_existence="all_exist" state_operator="OR">
|
||||||
|
<unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
-
|
||||||
|
<unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
-
|
||||||
|
</unix:sysctl_test>
|
||||||
|
|
||||||
|
<unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||||
|
<unix:name>kernel.core_pattern</unix:name>
|
||||||
|
</unix:sysctl_object>
|
||||||
|
|
||||||
|
-
|
||||||
|
<unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||||
|
-
|
||||||
|
- <unix:value datatype="string"
|
||||||
|
- operation="equals"></unix:value>
|
||||||
|
-
|
||||||
|
+ <unix:value datatype="string" operation="equals"></unix:value>
|
||||||
|
</unix:sysctl_state>
|
||||||
|
|
||||||
|
</def-group>
|
||||||
|
@@ -53,18 +49,17 @@
|
||||||
|
test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
|
||||||
|
<criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
|
||||||
|
test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
|
||||||
|
-
|
||||||
|
</criteria>
|
||||||
|
|
||||||
|
<criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||||
|
</criteria>
|
||||||
|
</definition>
|
||||||
|
+
|
||||||
|
<ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
|
||||||
|
check="all" check_existence="all_exist"
|
||||||
|
comment="kernel.core_pattern static configuration" state_operator="OR">
|
||||||
|
<ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
<ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
-
|
||||||
|
</ind:textfilecontent54_test>
|
||||||
|
|
||||||
|
<ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
|
||||||
|
@@ -165,7 +160,6 @@
|
||||||
|
<unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
|
||||||
|
</unix:symlink_state>
|
||||||
|
|
||||||
|
-
|
||||||
|
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
<object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
|
||||||
|
</local_variable>
|
||||||
|
@@ -189,7 +183,6 @@
|
||||||
|
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
<set>
|
||||||
|
<object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
-
|
||||||
|
</set>
|
||||||
|
</ind:textfilecontent54_object>
|
||||||
|
|
||||||
|
@@ -213,9 +206,7 @@
|
||||||
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
</ind:textfilecontent54_object>
|
||||||
|
<ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
-
|
||||||
|
<ind:subexpression operation="equals" datatype="string"></ind:subexpression>
|
||||||
|
-
|
||||||
|
</ind:textfilecontent54_state>
|
||||||
|
|
||||||
|
</def-group>
|
||||||
|
|
||||||
|
From 39bb8e75c95c469a4f6428664f24f7f9688ffa87 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 14:46:15 +0200
|
||||||
|
Subject: [PATCH 5/8] Fix test parse affected to support OVAL with multiple
|
||||||
|
def-group tags.
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/test_parse_affected.py | 26 ++++++++++++++++----------
|
||||||
|
1 file changed, 16 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
|
||||||
|
index 8407794b972..947b56636c0 100755
|
||||||
|
--- a/tests/test_parse_affected.py
|
||||||
|
+++ b/tests/test_parse_affected.py
|
||||||
|
@@ -3,6 +3,7 @@
|
||||||
|
from __future__ import print_function
|
||||||
|
|
||||||
|
import os
|
||||||
|
+import re
|
||||||
|
import sys
|
||||||
|
|
||||||
|
import ssg.constants
|
||||||
|
@@ -73,19 +74,24 @@ def parse_affected(cur_dir, env_yaml):
|
||||||
|
if not xml_content:
|
||||||
|
continue
|
||||||
|
|
||||||
|
- oval_contents = ssg.utils.split_string_content(xml_content)
|
||||||
|
+ # split multiple def group into a list so multiple definitions in one OVAL also work
|
||||||
|
+ # this findall does not preserv the <def-group> tag but it's not necessary for the
|
||||||
|
+ # purpose of the test
|
||||||
|
+ xml_content_list = re.findall(r'<def-group>(.+?)</def-group>', xml_content, re.DOTALL)
|
||||||
|
+ for item in xml_content_list:
|
||||||
|
+ oval_contents = ssg.utils.split_string_content(item)
|
||||||
|
|
||||||
|
- try:
|
||||||
|
- results = ssg.oval.parse_affected(oval_contents)
|
||||||
|
+ try:
|
||||||
|
+ results = ssg.oval.parse_affected(oval_contents)
|
||||||
|
|
||||||
|
- assert len(results) == 3
|
||||||
|
- assert isinstance(results[0], int)
|
||||||
|
- assert isinstance(results[1], int)
|
||||||
|
+ assert len(results) == 3
|
||||||
|
+ assert isinstance(results[0], int)
|
||||||
|
+ assert isinstance(results[1], int)
|
||||||
|
|
||||||
|
- except ValueError as e:
|
||||||
|
- print("No <affected> element found in file {}. "
|
||||||
|
- " Parsed XML was:\n{}".format(oval, xml_content))
|
||||||
|
- raise e
|
||||||
|
+ except ValueError as e:
|
||||||
|
+ print("No <affected> element found in file {}. "
|
||||||
|
+ " Parsed XML was:\n{}".format(oval, item))
|
||||||
|
+ raise e
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
|
||||||
|
From 8d6176c1f96f983aaa0134d19cc66fd3c7b29e15 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 15:14:57 +0200
|
||||||
|
Subject: [PATCH 6/8] Fix ansible remediation to preserve old non compliant
|
||||||
|
values.
|
||||||
|
|
||||||
|
Comment out any offending line.
|
||||||
|
---
|
||||||
|
.../ansible/shared.yml | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
index 22a8d99dae8..f4dc5110fee 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
@@ -24,8 +24,8 @@
|
||||||
|
- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
|
||||||
|
replace:
|
||||||
|
path: /etc/sysctl.conf
|
||||||
|
- regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
|
||||||
|
- replace: '#kernel.core_pattern'
|
||||||
|
+ regexp: '^[\s]*kernel.core_pattern([ \t]*=[ \t]*\S+)'
|
||||||
|
+ replace: '#kernel.core_pattern\1'
|
||||||
|
|
||||||
|
- name: Ensure sysctl kernel.core_pattern is set to empty
|
||||||
|
sysctl:
|
||||||
|
|
||||||
|
From c5bcea37000f54f3273d529237e02fe0979e6d6d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 15:20:41 +0200
|
||||||
|
Subject: [PATCH 7/8] Fix PEP8 issue.
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/test_parse_affected.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
|
||||||
|
index 947b56636c0..53690df5ce1 100755
|
||||||
|
--- a/tests/test_parse_affected.py
|
||||||
|
+++ b/tests/test_parse_affected.py
|
||||||
|
@@ -90,7 +90,7 @@ def parse_affected(cur_dir, env_yaml):
|
||||||
|
|
||||||
|
except ValueError as e:
|
||||||
|
print("No <affected> element found in file {}. "
|
||||||
|
- " Parsed XML was:\n{}".format(oval, item))
|
||||||
|
+ " Parsed XML was:\n{}".format(oval, item))
|
||||||
|
raise e
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
From 243347ad56fcd4f83f0b77e9b3b7fcd98d0d4acb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 16:31:31 +0200
|
||||||
|
Subject: [PATCH 8/8] Add more test scenarios for
|
||||||
|
sysctl_kernel_core_pattern_empty_string.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../tests/correct_value_with_spaces.pass.sh | 10 ++++++++++
|
||||||
|
.../tests/wrong_value_d_directory.fail.sh | 9 +++++++++
|
||||||
|
.../tests/wrong_value_runtime.fail.sh | 10 ++++++++++
|
||||||
|
3 files changed, 29 insertions(+)
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..b6688e6ca91
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern= " >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern=""
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..6c574b92762
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
|
||||||
|
@@ -0,0 +1,9 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/98-sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern=""
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..8c729677b86
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern="|/bin/false"
|
@ -0,0 +1,47 @@
|
|||||||
|
From 21124e8524967788d4c95d47dd41259a0c7f958c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 20 Jul 2022 14:18:13 +0200
|
||||||
|
Subject: [PATCH] change remediations to include the "=" sign
|
||||||
|
|
||||||
|
---
|
||||||
|
.../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
|
||||||
|
.../crypto/configure_openssl_crypto_policy/bash/shared.sh | 4 ++--
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||||
|
index c335a9e7fa2..852ca18cf79 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||||
|
@@ -20,7 +20,7 @@
|
||||||
|
lineinfile:
|
||||||
|
create: yes
|
||||||
|
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
|
||||||
|
- line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||||
|
+ line: ".include = /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||||
|
path: {{{ openssl_cnf_path }}}
|
||||||
|
when:
|
||||||
|
- test_crypto_policy_group.stdout is defined
|
||||||
|
@@ -29,7 +29,7 @@
|
||||||
|
- name: "Add crypto_policy group and set include opensslcnf.config"
|
||||||
|
lineinfile:
|
||||||
|
create: yes
|
||||||
|
- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||||
|
+ line: "[crypto_policy]\n.include = /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||||
|
path: {{{ openssl_cnf_path }}}
|
||||||
|
when:
|
||||||
|
- test_crypto_policy_group.stdout is defined
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||||
|
index 21edb780a2f..79eb5cff189 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||||
|
@@ -2,8 +2,8 @@
|
||||||
|
|
||||||
|
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
|
||||||
|
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
|
||||||
|
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
|
||||||
|
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
|
||||||
|
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config'
|
||||||
|
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
|
||||||
|
|
||||||
|
{{% if 'sle' in product %}}
|
||||||
|
{{% set openssl_cnf_path="/etc/ssl/openssl.cnf" %}}
|
@ -0,0 +1,29 @@
|
|||||||
|
From eef5cb155b9f820439ca32f993cebf1f68b29e80 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||||
|
Date: Thu, 28 Jul 2022 15:08:15 +0200
|
||||||
|
Subject: [PATCH] Remove a confusing sentence
|
||||||
|
|
||||||
|
In the rule description, there are 2 conflicting sentences, they
|
||||||
|
both start by "By default ...", but they negate each other.
|
||||||
|
In fact, the second of them is true, so the first one could be
|
||||||
|
removed.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092799
|
||||||
|
---
|
||||||
|
.../accounts-physical/require_singleuser_auth/rule.yml | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||||||
|
index 932d76c36d9..332712ea1dd 100644
|
||||||
|
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||||||
|
@@ -8,8 +8,7 @@ title: 'Require Authentication for Single User Mode'
|
||||||
|
description: |-
|
||||||
|
Single-user mode is intended as a system recovery
|
||||||
|
method, providing a single user root access to the system by
|
||||||
|
- providing a boot option at startup. By default, no authentication
|
||||||
|
- is performed if single-user mode is selected.
|
||||||
|
+ providing a boot option at startup.
|
||||||
|
<br /><br />
|
||||||
|
By default, single-user mode is protected by requiring a password and is set
|
||||||
|
in <tt>/usr/lib/systemd/system/rescue.service</tt>.
|
@ -0,0 +1,48 @@
|
|||||||
|
From d76e93e697755e63d5c833747adef4af23c3256b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Mon, 22 Aug 2022 13:51:28 +0200
|
||||||
|
Subject: [PATCH 1/2] switch sysctl_kernel_core_pattern_empty_string for
|
||||||
|
sysctl_kernel_core_pattern
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel9/profiles/ospp.profile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||||
|
index b1b18261d48..9fdd1354e38 100644
|
||||||
|
--- a/products/rhel9/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||||||
|
@@ -110,7 +110,7 @@ selections:
|
||||||
|
- package_gnutls-utils_installed
|
||||||
|
|
||||||
|
### Login
|
||||||
|
- - sysctl_kernel_core_pattern_empty_string
|
||||||
|
+ - sysctl_kernel_core_pattern
|
||||||
|
- sysctl_kernel_core_uses_pid
|
||||||
|
- service_systemd-coredump_disabled
|
||||||
|
- var_authselect_profile=minimal
|
||||||
|
|
||||||
|
From d304b9f0037bfac6e20b1365e0d320f714ce09a3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Mon, 22 Aug 2022 13:51:55 +0200
|
||||||
|
Subject: [PATCH 2/2] remove ospp reference from
|
||||||
|
sysctl_kernel_core_pattern_empty_string
|
||||||
|
|
||||||
|
---
|
||||||
|
.../sysctl_kernel_core_pattern_empty_string/rule.yml | 3 ---
|
||||||
|
1 file changed, 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
index 089bb1481aa..dc21f53c98c 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
@@ -30,9 +30,6 @@ conflicts:
|
||||||
|
identifiers:
|
||||||
|
cce@rhel9: CCE-86005-6
|
||||||
|
|
||||||
|
-references:
|
||||||
|
- ospp: FMT_SMF_EXT.1
|
||||||
|
-
|
||||||
|
ocil_clause: |-
|
||||||
|
the returned line does not have a value of ''.
|
||||||
|
|
60
SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch
Normal file
60
SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From be2aba89ab61767fd301ee1ac4f4e64bf5a66887 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Thu, 11 Aug 2022 16:53:48 +0200
|
||||||
|
Subject: [PATCH] add 4 rules back to RHEL9 datastream
|
||||||
|
|
||||||
|
---
|
||||||
|
.../services/kerberos/package_krb5-server_removed/rule.yml | 2 +-
|
||||||
|
.../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +-
|
||||||
|
.../guide/services/obsolete/nis/package_ypserv_removed/rule.yml | 2 +-
|
||||||
|
.../system-tools/package_krb5-workstation_removed/rule.yml | 2 +-
|
||||||
|
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
|
||||||
|
index 78577046409..17d742d9692 100644
|
||||||
|
--- a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
|
||||||
|
+++ b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
documentation_complete: true
|
||||||
|
|
||||||
|
-prodtype: ol7,ol8,rhel7,rhel8
|
||||||
|
+prodtype: ol7,ol8,rhel7,rhel8,rhel9
|
||||||
|
|
||||||
|
title: 'Remove the Kerberos Server Package'
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||||
|
index d8a3910ff4d..9be95ffed5c 100644
|
||||||
|
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||||
|
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
documentation_complete: true
|
||||||
|
|
||||||
|
-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||||
|
+prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||||
|
|
||||||
|
title: 'Remove NIS Client'
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||||
|
index ee7ccb2d8da..0f7ad7c0431 100644
|
||||||
|
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||||
|
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
documentation_complete: true
|
||||||
|
|
||||||
|
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||||
|
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||||
|
|
||||||
|
title: 'Uninstall ypserv Package'
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||||
|
index 7a02459825d..4750fd6b266 100644
|
||||||
|
--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
documentation_complete: true
|
||||||
|
|
||||||
|
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8
|
||||||
|
+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9
|
||||||
|
|
||||||
|
title: 'Uninstall krb5-workstation Package'
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,36 +1,41 @@
|
|||||||
# Base name of static rhel6 content tarball
|
# SSG build system and tests count with build directory name `build`.
|
||||||
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
|
# For more details see:
|
||||||
# Base name of static rhel7 content tarball
|
|
||||||
%global _static_rhel7_content %{name}-0.1.73-1.el7_9-rhel7
|
|
||||||
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||||
%global _vpath_builddir build
|
%global _vpath_builddir build
|
||||||
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
||||||
|
|
||||||
Name: scap-security-guide
|
Name: scap-security-guide
|
||||||
Version: 0.1.75
|
Version: 0.1.63
|
||||||
Release: 1%{?dist}
|
Release: 5%{?dist}.alma
|
||||||
Summary: Security guidance and baselines in SCAP formats
|
Summary: Security guidance and baselines in SCAP formats
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
Group: Applications/System
|
|
||||||
URL: https://github.com/ComplianceAsCode/content/
|
URL: https://github.com/ComplianceAsCode/content/
|
||||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||||
# Include tarball with last released rhel6 content
|
|
||||||
Source1: %{_static_rhel6_content}.tar.bz2
|
|
||||||
# Include tarball with last released rhel7 content
|
|
||||||
Source2: %{_static_rhel7_content}.tar.bz2
|
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
|
Patch0: scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
|
||||||
|
Patch1: scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
|
||||||
|
Patch2: scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
|
||||||
|
Patch3: scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
|
||||||
|
Patch4: scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
|
||||||
|
Patch5: scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
|
||||||
|
Patch6: scap-security-guide-0.1.64-readd_rules-PR_9334.patch
|
||||||
|
Patch7: scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch
|
||||||
|
Patch8: scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch
|
||||||
|
|
||||||
|
# AlmaLinux 9
|
||||||
|
Patch1000: 0001-Add-AlmaLinux-9-support.patch
|
||||||
|
|
||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
|
BuildRequires: expat
|
||||||
BuildRequires: openscap-scanner >= 1.2.5
|
BuildRequires: openscap-scanner >= 1.2.5
|
||||||
BuildRequires: cmake >= 2.8
|
BuildRequires: cmake >= 2.8
|
||||||
BuildRequires: python3-devel
|
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
||||||
|
BuildRequires: /usr/bin/python3
|
||||||
BuildRequires: python%{python3_pkgversion}
|
BuildRequires: python%{python3_pkgversion}
|
||||||
BuildRequires: python%{python3_pkgversion}-jinja2
|
BuildRequires: python%{python3_pkgversion}-jinja2
|
||||||
BuildRequires: python%{python3_pkgversion}-PyYAML
|
BuildRequires: python%{python3_pkgversion}-PyYAML
|
||||||
Requires: xml-common, openscap-scanner >= 1.2.5
|
Requires: xml-common, openscap-scanner >= 1.2.5
|
||||||
Obsoletes: openscap-content < 0:0.9.13
|
|
||||||
Provides: openscap-content
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
The scap-security-guide project provides a guide for configuration of the
|
The scap-security-guide project provides a guide for configuration of the
|
||||||
@ -46,7 +51,6 @@ further information.
|
|||||||
|
|
||||||
%package doc
|
%package doc
|
||||||
Summary: HTML formatted security guides generated from XCCDF benchmarks
|
Summary: HTML formatted security guides generated from XCCDF benchmarks
|
||||||
Group: System Environment/Base
|
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
|
|
||||||
%description doc
|
%description doc
|
||||||
@ -54,7 +58,7 @@ The %{name}-doc package contains HTML formatted documents containing
|
|||||||
hardening guidances that have been generated from XCCDF benchmarks
|
hardening guidances that have been generated from XCCDF benchmarks
|
||||||
present in %{name} package.
|
present in %{name} package.
|
||||||
|
|
||||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
%if %{defined rhel}
|
||||||
%package rule-playbooks
|
%package rule-playbooks
|
||||||
Summary: Ansible playbooks per each rule.
|
Summary: Ansible playbooks per each rule.
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
@ -65,58 +69,36 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -b1 -b2
|
%autosetup -p1
|
||||||
|
|
||||||
|
%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
|
||||||
|
%define cmake_defines_specific %{nil}
|
||||||
|
%if 0%{?rhel}
|
||||||
|
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
|
||||||
|
%endif
|
||||||
|
%if 0%{?centos}
|
||||||
|
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
|
||||||
|
%endif
|
||||||
|
%if 0%{?almalinux}
|
||||||
|
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_ALMALINUX%{almalinux}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
|
||||||
|
%endif
|
||||||
|
|
||||||
%build
|
|
||||||
mkdir -p build
|
mkdir -p build
|
||||||
cd build
|
%build
|
||||||
%cmake \
|
%cmake %{cmake_defines_common} %{cmake_defines_specific}
|
||||||
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
|
|
||||||
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
|
|
||||||
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
|
|
||||||
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
|
|
||||||
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
|
|
||||||
%if %{defined centos}
|
|
||||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
|
|
||||||
%else
|
|
||||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
|
|
||||||
%endif
|
|
||||||
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
|
|
||||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
|
||||||
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
|
|
||||||
%endif
|
|
||||||
../
|
|
||||||
%cmake_build
|
%cmake_build
|
||||||
|
|
||||||
%install
|
%install
|
||||||
cd build
|
|
||||||
%cmake_install
|
%cmake_install
|
||||||
|
rm %{buildroot}/%{_docdir}/%{name}/README.md
|
||||||
# Manually install pre-built rhel6 content
|
rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
||||||
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
|
|
||||||
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
|
|
||||||
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
|
|
||||||
|
|
||||||
# Manually install pre-built rhel7 content
|
|
||||||
cp -r %{_builddir}/%{_static_rhel7_content}/usr %{buildroot}
|
|
||||||
cp -r %{_builddir}/%{_static_rhel7_content}/tables %{buildroot}%{_docdir}/%{name}
|
|
||||||
cp -r %{_builddir}/%{_static_rhel7_content}/guides %{buildroot}%{_docdir}/%{name}
|
|
||||||
|
|
||||||
# create symlinks for ssg-<product>-ds-1.2.xml to ssg-<product>-ds.xml
|
|
||||||
# this is for backward compatibility
|
|
||||||
ln -s ssg-rhel8-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml
|
|
||||||
ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefox-ds-1.2.xml
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%{_datadir}/xml/scap/ssg/content
|
%{_datadir}/xml/scap/ssg/content
|
||||||
%{_datadir}/%{name}/kickstart
|
%{_datadir}/%{name}/kickstart
|
||||||
%{_datadir}/%{name}/ansible
|
%{_datadir}/%{name}/ansible/*.yml
|
||||||
%{_datadir}/%{name}/bash
|
|
||||||
%{_datadir}/%{name}/tailoring
|
|
||||||
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
|
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
|
||||||
%doc %{_docdir}/%{name}/LICENSE
|
%doc %{_docdir}/%{name}/LICENSE
|
||||||
%doc %{_docdir}/%{name}/README.md
|
|
||||||
%doc %{_docdir}/%{name}/Contributors.md
|
|
||||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||||
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
|
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
|
||||||
%endif
|
%endif
|
||||||
@ -125,427 +107,246 @@ ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefo
|
|||||||
%doc %{_docdir}/%{name}/guides/*.html
|
%doc %{_docdir}/%{name}/guides/*.html
|
||||||
%doc %{_docdir}/%{name}/tables/*.html
|
%doc %{_docdir}/%{name}/tables/*.html
|
||||||
|
|
||||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
%if %{defined rhel}
|
||||||
%files rule-playbooks
|
%files rule-playbooks
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%{_datadir}/%{name}/ansible/rule_playbooks
|
%{_datadir}/%{name}/ansible/rule_playbooks
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Nov 15 2024 Matthew Burket <mburket@redhat.com> - 0.1.75-1
|
* Thu Oct 27 2022 Andrew Lukoshko <alukoshko@almalinux.org> - 0.1.63-5.alma
|
||||||
- Rebase scap-security-guide to the latest upstream version (RHEL-66153)
|
- Add AlmaLinux 9 support
|
||||||
- detection of Grub2 kernel command line arguments has been enhanced to cover more use cases (RHEL-53365)
|
|
||||||
|
|
||||||
* Mon Aug 19 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-3
|
* Thu Aug 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.63-5
|
||||||
- fix build
|
- OSPP: fix rule related to coredump (RHBZ#2081688)
|
||||||
- keep firefox and rhel8 ds-1.2 files in the package in form of symbolic links to regular ds files
|
|
||||||
|
|
||||||
* Fri Aug 16 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-2
|
* Tue Aug 23 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-4
|
||||||
- include RHEL 7 artifacts from the last RHEL 7 build
|
- use sysctl_kernel_core_pattern rule again in RHEL9 OSPP (RHBZ#2081688)
|
||||||
|
|
||||||
* Fri Aug 09 2024 Matthew Burket <mburket@redhat.com> - 0.1.74-1
|
* Thu Aug 11 2022 Matej Tyc <matyc@redhat.com> - 0.1.63-3
|
||||||
- Rebase to a new upstream release 0.1.74 (RHEL-53913)
|
- Readd rules to the benchmark to be compatible across all minor versions of RHEL9 (RHBZ#2117669)
|
||||||
- Improve Rsyslog rules to support RainerScript syntax (RHEL-1816)
|
|
||||||
- Update password hashing settings for ANSSI-BP-028 (RHEL-54390)
|
|
||||||
|
|
||||||
* Wed Aug 07 2024 Milan Lysonek <mlysonek@redhat.com> - 0.1.73-2
|
|
||||||
- Switch gating to tmt plan (RHEL-43242)
|
|
||||||
|
|
||||||
* Tue May 21 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1
|
|
||||||
- Rebase scap-security-guide package to version 0.1.73 (RHEL-36733)
|
|
||||||
- Change crypto policy used in the CUI profile to FIPS (RHEL-30346)
|
|
||||||
- Fix file path identification in Rsyslog configuration (RHEL-17202)
|
|
||||||
- Use a correct chrony server address in STIG profile (RHEL-1814)
|
|
||||||
- Don't BuildRequire /usr/bin/python3 (RHEL-2244)
|
|
||||||
|
|
||||||
* Fri Feb 16 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-2
|
|
||||||
- Unlist profiles no longer maintained in RHEL8.
|
|
||||||
|
|
||||||
* Wed Feb 14 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
|
|
||||||
- Rebase to a new upstream release 0.1.72 (RHEL-25250)
|
|
||||||
- Increase CIS standards coverage regarding SSH and cron (RHEL-1314)
|
|
||||||
- Increase compatibility of accounts_tmout rule for ksh (RHEL-16896 and RHEL-1811)
|
|
||||||
- Align Ansible and Bash remediation in sssd_certificate_verification rule (RHEL-1313)
|
|
||||||
- Add a warning to rule service_rngd_enabled about rule applicability (RHEL-1819)
|
|
||||||
- Add rule to terminate idle user sessions after defined time (RHEL-1801)
|
|
||||||
- Allow spaces around equal sign in /etc/sudoers (RHEL-1904)
|
|
||||||
- Add remediation for rule fapolicy_default_deny (RHEL-1817)
|
|
||||||
- Fix invalid syntax in file /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml (RHEL-19127)
|
|
||||||
- Refactor ensure_pam_wheel_group_empty (RHEL-1905)
|
|
||||||
- Prevent remediation of display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
|
|
||||||
- Update PCI-DSS to v4 (RHEL-1808)
|
|
||||||
- Fix regex in Ansible remediation of configure_ssh_crypto_policy (RHEL-1820)
|
|
||||||
|
|
||||||
* Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2
|
|
||||||
- remove problematic rule from ANSSI High profile (RHBZ#2221695)
|
|
||||||
|
|
||||||
* Thu Aug 10 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
|
|
||||||
- Rebase to a new upstream release 0.1.69 (RHBZ#2221695)
|
|
||||||
- Fixed CCE link URL (RHBZ#2178516)
|
|
||||||
- align remediations with rule description for rule configuring OpenSSL cryptopolicy (RHBZ#2192893)
|
|
||||||
- Add rule audit_rules_login_events_faillock to STIG profile (RHBZ#2167999)
|
|
||||||
- Fixed rules related to AIDE configuration (RHBZ#2175684)
|
|
||||||
- Allow default permissions for files stored on EFI FAT partitions (RHBZ#2184487)
|
|
||||||
- Add appropriate STIGID to accounts_passwords_pam_faillock_interval rule (RHBZ#2209073)
|
|
||||||
- improved and unified OVAL checks checking for interactive users (RHBZ#2157877)
|
|
||||||
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155789)
|
|
||||||
- unify OVAL checks to correctly identify interactive users (RHBZ#2178740)
|
|
||||||
- make rule checking for Postfix unrestricted relay accept more variants of valid configuration syntax (RHBZ#2170530)
|
|
||||||
- Fixed excess quotes in journald configuration files (RHBZ#2169857)
|
|
||||||
- rules related to polyinstantiated directories are not applied when building images for Image Builder (RHBZ#2130182)
|
|
||||||
- evaluation and remediation of rules related to mount points have been enhanced for Image Builder (RHBZ#2130185)
|
|
||||||
- do not enable FIPS mode when creating hardened images for Image Builder (RHBZ#2130181)
|
|
||||||
- Correct URL used to download CVE checks (RHBZ#2222583)
|
|
||||||
- mention exact required configuration value in description of some PAM related rules (RHBZ#2175882)
|
|
||||||
- make mount point related rules not applicable when no such mount points exist (RHBZ#2176008)
|
|
||||||
- improve checks determining if FIPS mode is enabled (RHBZ#2129100)
|
|
||||||
|
|
||||||
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2
|
|
||||||
- Unselect rule logind_session_timeout (RHBZ#2158404)
|
|
||||||
|
|
||||||
* Mon Feb 06 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
|
|
||||||
- Rebase to a new upstream release 0.1.66 (RHBZ#2158404)
|
|
||||||
- Update RHEL8 STIG profile to V1R9 (RHBZ#2152658)
|
|
||||||
- Fix levels of CIS rules (RHBZ#2162803)
|
|
||||||
- Remove unused RHEL8 STIG control file (RHBZ#2156192)
|
|
||||||
- Fix accounts_password_pam_unix_remember's check and remediations (RHBZ#2153547)
|
|
||||||
- Fix handling of space in sudo_require_reauthentication (RHBZ#2152208)
|
|
||||||
- Add rule for audit immutable login uids (RHBZ#2151553)
|
|
||||||
- Fix remediation of audit watch rules (RHBZ#2119356)
|
|
||||||
- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2115343)
|
|
||||||
- Fix applicability of kerberos rules (RHBZ#2099394)
|
|
||||||
- Add support rainer scripts in rsyslog rules (RHBZ#2072444)
|
|
||||||
|
|
||||||
* Tue Jan 10 2023 Watson Sato <wsato@redhat.com> - 0.1.63-5
|
|
||||||
- Update RHEL8 STIG profile to V1R8 (RHBZ#2148446)
|
|
||||||
- Add rule warning for sysctl IPv4 forwarding config (RHBZ#2118758)
|
|
||||||
- Fix remediation for firewalld_sshd_port_enabled (RHBZ#2116474)
|
|
||||||
- Fix compatibility with Ansible 2.14
|
|
||||||
|
|
||||||
* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
|
|
||||||
- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
|
|
||||||
|
|
||||||
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
|
|
||||||
- Fix Ansible partition conditional (RHBZ#2032403)
|
|
||||||
|
|
||||||
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
|
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
|
||||||
- aligning with the latest STIG update (RHBZ#2112937)
|
- OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583)
|
||||||
- OSPP: use Authselect minimal profile (RHBZ#2117192)
|
- OSPP: update rules related to coredumps (RHBZ#2081688)
|
||||||
- OSPP: change rules for protecting of boot (RHBZ#2116440)
|
- OSPP: update rules related to BPF (RHBZ#2081728)
|
||||||
- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
|
- fix description of require_singleuser_mode (RHBZ#2092799)
|
||||||
- fix handling of Defaults clause in sudoers (RHBZ#2083109)
|
- fix remediation of OpenSSL cryptopolicy (RHBZ#2108569)
|
||||||
- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
|
- OSPP: use minimal Authselect profile(RHBZ#2114979)
|
||||||
- fix handling of Rsyslog include directives (RHBZ#2075384)
|
|
||||||
|
|
||||||
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
|
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
|
||||||
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
|
- Rebase to a new upstream release 0.1.63 (RHBZ#2070563)
|
||||||
|
|
||||||
|
* Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
|
||||||
|
- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
|
||||||
|
- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)
|
||||||
|
- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
|
||||||
|
- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
|
||||||
|
- Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708)
|
||||||
|
- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809)
|
||||||
|
- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840)
|
||||||
|
- Remove rule accounts_password_minlen_login_defs from all profiles (RHBZ#2073040)
|
||||||
|
- Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016)
|
||||||
|
- Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278)
|
||||||
|
- Remove rules related to NIS services (RHBZ#2096602)
|
||||||
|
- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082)
|
||||||
|
|
||||||
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
|
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
|
||||||
- Rebase to a new upstream release (RHBZ#2070564)
|
- Rebase to a new upstream release (RHBZ#2070563)
|
||||||
|
|
||||||
* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
|
|
||||||
- Fix validation of OVAL 5.10 content (RHBZ#2079241)
|
|
||||||
- Fix Ansible sysctl remediation (RHBZ#2079241)
|
|
||||||
|
|
||||||
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
|
|
||||||
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
|
|
||||||
- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
|
|
||||||
|
|
||||||
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
|
|
||||||
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
|
|
||||||
|
|
||||||
* Wed Feb 23 2022 Matthew Burket <mburket@redhat.com> - 0.1.60-6
|
|
||||||
- Fix another issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
|
|
||||||
|
|
||||||
* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
|
* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
|
||||||
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2055860)
|
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2056847)
|
||||||
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
|
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014561)
|
||||||
- Update rule enable_fips_mode to check only for technical state (RHBZ#2014485)
|
- Update rule enable_fips_mode to check only for technical state (RHBZ#2057457)
|
||||||
|
|
||||||
* Wed Feb 16 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
|
* Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
|
||||||
- Fix Ansible service disabled tasks (RHBZ#2014485)
|
- Fix Ansible service disabled tasks (RHBZ#2014561)
|
||||||
- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149)
|
- Update description of OSPP profile (RHBZ#2045386)
|
||||||
|
- Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118)
|
||||||
|
|
||||||
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
|
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
|
||||||
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2049555)
|
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
|
||||||
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2049555)
|
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)
|
||||||
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2026301)
|
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2045403)
|
||||||
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2030966)
|
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2014561)
|
||||||
- Update GRUB2 rule descriptions (RHBZ#2014485)
|
- Update GRUB2 rule descriptions (RHBZ#2020623)
|
||||||
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014485)
|
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014561)
|
||||||
|
|
||||||
* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
|
* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
|
||||||
- Update RHEL8 STIG profile to V1R5 (RHBZ#2049555)
|
- Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289)
|
||||||
- Align audit rules for OSPP profile (RHBZ#2000264)
|
|
||||||
- Fix rule selection in ANSSI Enhanced profile (RHBZ#2053587)
|
|
||||||
|
|
||||||
* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
|
* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
|
||||||
- Rebase to a new upstream release (RHBZ#2014485)
|
- Rebase to a new upstream release (RHBZ#2014561)
|
||||||
|
|
||||||
* Wed Dec 01 2021 Watson Sato <wsato@redhat.com> - 0.1.59-1
|
* Wed Dec 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.59-1
|
||||||
- Rebase to a new upstream release (RHBZ#2014485)
|
- Rebase to a new upstream release (RHBZ#2014561)
|
||||||
|
- Enable Centos Stream 9 content (RHBZ#2021284)
|
||||||
|
|
||||||
* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
|
* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
|
||||||
- Rebase to a new upstream release. (RHBZ#2014485)
|
- Rebase to a new upstream release (RHBZ#2014561)
|
||||||
|
- Disable profiles that we disable in RHEL8
|
||||||
- Add a VM wait handling to fix issues with tests.
|
- Add a VM wait handling to fix issues with tests.
|
||||||
|
|
||||||
* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
|
* Wed Aug 25 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
|
||||||
- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)
|
- Fix remediations applicability of zipl rules
|
||||||
|
Resolves: rhbz#1996847
|
||||||
|
|
||||||
* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
|
* Tue Aug 24 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-4
|
||||||
- Fix remaining audit rules file permissions (RHBZ#1993056)
|
- Fix a broken HTTP link
|
||||||
- Mark a STIG service rule as machine only (RHBZ#1993056)
|
Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
|
||||||
- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)
|
Resolves: rhbz#1962564
|
||||||
|
|
||||||
* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
|
* Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
|
||||||
- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
|
- Use SSHD directory-based configuration.
|
||||||
- Include tests for Ansible Playbooks that remove and reintroduce files.
|
Resolves: rhbz#1962564
|
||||||
- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056)
|
- Introduce ISM kickstarts
|
||||||
- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
|
Resolves: rhbz#1978290
|
||||||
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
|
- Deliver numerous RHEL9 fixes to rules - see related BZs for details.
|
||||||
- Add Kickstart files for ISM profile (RHBZ#1955373)
|
TLDR: Enable remediations by means of platform metadata,
|
||||||
- Fix broken RHEL7 documentation links (RHBZ#1966577)
|
enable the RHEL9 GPG rule, introduce the s390x platform,
|
||||||
|
fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
|
||||||
|
address the subscription-manager package merge, and
|
||||||
|
enable and select more rules applicable to RHEL9.
|
||||||
|
Resolves: rhbz#1987227
|
||||||
|
Resolves: rhbz#1987226
|
||||||
|
Resolves: rhbz#1987231
|
||||||
|
Resolves: rhbz#1988289
|
||||||
|
|
||||||
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
|
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.57-2
|
||||||
- Update to the latest upstream release (RHBZ#1966577)
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
- Enable the ISM profile.
|
Related: rhbz#1991688
|
||||||
|
|
||||||
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
|
* Wed Jul 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
|
||||||
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
|
- Upgrade to the latest upstream release
|
||||||
|
- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts.
|
||||||
|
|
||||||
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
|
* Wed Jul 07 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-3
|
||||||
- Update to the latest upstream release (RHBZ#1966577)
|
- Introduced the playbooks subpackage.
|
||||||
- Add ANSSI High Profile (RHBZ#1955183)
|
- Enabled CentOS content on CentOS systems.
|
||||||
|
- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them.
|
||||||
|
|
||||||
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
|
* Mon Jun 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
|
||||||
- Remove Kickstart for not shipped profile (RHBZ#1778188)
|
- Enable more RHEL9 rules and introduce RHEL9 profile stubs
|
||||||
|
|
||||||
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
|
* Wed May 19 2021 Jan Černý <jcerny@redhat.com> - 0.1.56-1
|
||||||
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
|
- Upgrade to the latest upstream release
|
||||||
|
- remove README.md and Contributors.md
|
||||||
|
- remove SCAP component files
|
||||||
|
- remove SCAP 1.2 source data streams
|
||||||
|
- remove HTML guides for the virtual “(default)” profile
|
||||||
|
- remove profile Bash remediation scripts
|
||||||
|
- build only RHEL9 content
|
||||||
|
- remove other products
|
||||||
|
- use autosetup in %prep phase
|
||||||
|
|
||||||
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.54-3
|
||||||
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
|
* Fri Feb 12 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-2
|
||||||
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
|
- fix definition of build directory
|
||||||
|
|
||||||
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
|
* Fri Feb 05 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-1
|
||||||
- Update to the latest upstream release (RHBZ#1889344)
|
- Update to latest upstream SCAP-Security-Guide-0.1.54 release:
|
||||||
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.54
|
||||||
|
|
||||||
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
|
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.53-2
|
||||||
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
|
|
||||||
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
|
|
||||||
|
|
||||||
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
|
* Mon Nov 16 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
|
||||||
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
|
- Update to latest upstream SCAP-Security-Guide-0.1.53 release:
|
||||||
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53
|
||||||
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
|
|
||||||
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
|
|
||||||
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
|
|
||||||
|
|
||||||
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
|
* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-3
|
||||||
- Update list of profiles built (RHBZ#1889344)
|
- revert previous rework, it did not solve the problem
|
||||||
|
|
||||||
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
|
* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-2
|
||||||
- Update to the latest upstream release (RHBZ#1889344)
|
- rewrite solution for CMake out of source builds
|
||||||
|
|
||||||
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
|
* Mon Sep 21 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-1
|
||||||
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
|
- Update to latest upstream SCAP-Security-Guide-0.1.52 release:
|
||||||
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52
|
||||||
|
|
||||||
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
|
* Tue Aug 04 2020 Jan Černý <jcerny@redhat.com> - 0.1.51-4
|
||||||
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
|
- Update for new CMake out of source builds
|
||||||
|
https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||||
|
- Fix FTBS in Rawhide/F33 (RHBZ#1863741)
|
||||||
|
|
||||||
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
|
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-3
|
||||||
- remove rationale from rules that contain defective links (rhbz#1854854)
|
- Second attempt - Rebuilt for
|
||||||
|
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
|
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-2
|
||||||
- fixed link in a grub2 rule description (rhbz#1854854)
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
|
|
||||||
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
|
|
||||||
|
|
||||||
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
|
* Fri Jul 17 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.51-1
|
||||||
- Update the scapval invocation (RHBZ#1815007)
|
- Update to latest upstream SCAP-Security-Guide-0.1.51 release:
|
||||||
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.51
|
||||||
- Change the spec file macro invocation from patch to Patch
|
|
||||||
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
|
|
||||||
|
|
||||||
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
|
* Mon Mar 23 2020 Watson Sato <wsato@redhat.com> - 0.1.49-1
|
||||||
- fix description of HIPAA profile (RHBZ#1867559)
|
- Update to latest upstream SCAP-Security-Guide-0.1.49 release:
|
||||||
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.49
|
||||||
|
|
||||||
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
|
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.48-2
|
||||||
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
- Remove CCM from TLS Ciphersuites
|
|
||||||
|
|
||||||
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
|
* Thu Jan 16 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
|
||||||
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
|
- Update to latest upstream SCAP-Security-Guide-0.1.48 release:
|
||||||
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48
|
||||||
|
|
||||||
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
|
* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
|
||||||
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
|
- Hotfix of the XML parsing fix.
|
||||||
|
|
||||||
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
|
* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-1
|
||||||
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
|
- Update to latest upstream SCAP-Security-Guide-0.1.47 release:
|
||||||
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.47
|
||||||
|
- Fixed XML parsing of remediation functions.
|
||||||
|
|
||||||
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
|
* Mon Jul 29 2019 Watson Sato <wsato@redhat.com> - 0.1.45-1
|
||||||
- CIS Ansible fixes (RHBZ#1760734)
|
- Update to latest upstream SCAP-Security-Guide-0.1.45 release:
|
||||||
- HIPAA Ansible fixes (RHBZ#1832760)
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.45
|
||||||
|
|
||||||
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
|
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.44-2
|
||||||
- HIPAA Profile (RHBZ#1832760)
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
- Enable build of RHEL8 HIPAA Profile
|
|
||||||
- Add kickstarts for HIPAA
|
|
||||||
- CIS Profile (RHBZ#1760734)
|
|
||||||
- Add Ansible fix for sshd_set_max_sessions
|
|
||||||
- Add CIS Profile content attribution to Center for Internet Security
|
|
||||||
|
|
||||||
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
|
* Mon May 06 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.44-1
|
||||||
- Fix Ansible for no_direct_root_logins
|
- Update to latest upstream SCAP-Security-Guide-0.1.44 release:
|
||||||
- Fix Ansible template for SELinux booleans
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44
|
||||||
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
|
|
||||||
|
|
||||||
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
|
* Fri Feb 22 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-1
|
||||||
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
|
- Update to latest upstream SCAP-Security-Guide-0.1.43 release:
|
||||||
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.43
|
||||||
|
- Update URL and source URL
|
||||||
|
|
||||||
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
|
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.42-2
|
||||||
- Update to the latest upstream release (RHBZ#1815007)
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
|
* Wed Dec 12 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.42-1
|
||||||
- Update to the latest upstream release (RHBZ#1815007)
|
|
||||||
|
|
||||||
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
|
|
||||||
- Update baseline package list of OSPP profile
|
|
||||||
|
|
||||||
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
|
|
||||||
- Rebuilt with correct spec file
|
|
||||||
|
|
||||||
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
|
|
||||||
- Add SRG references to STIG rules (RHBZ#1755447)
|
|
||||||
|
|
||||||
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
|
|
||||||
- Drop rsyslog rules from OSPP profile
|
|
||||||
- Update COBIT URI
|
|
||||||
- Add rules for strong source of RNG entropy
|
|
||||||
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
|
|
||||||
- STIG profile: added rsyslog rules and updated SRG mappings
|
|
||||||
- Split audit rules according to audit component (RHBZ#1791312)
|
|
||||||
|
|
||||||
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
|
|
||||||
- Update crypto-policy test scenarios
|
|
||||||
- Update max-path-len test to skip tests/logs directory
|
|
||||||
|
|
||||||
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
|
|
||||||
- Fix list of tables that are generated for RHEL8
|
|
||||||
|
|
||||||
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
|
|
||||||
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
|
|
||||||
|
|
||||||
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
|
|
||||||
- Improved the e8 profile (RHBZ#1755194)
|
|
||||||
|
|
||||||
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
|
|
||||||
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
|
|
||||||
|
|
||||||
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
|
|
||||||
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
|
|
||||||
|
|
||||||
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
|
|
||||||
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
|
|
||||||
|
|
||||||
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
|
|
||||||
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
|
|
||||||
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
|
|
||||||
|
|
||||||
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
|
|
||||||
- Use crypto-policy rules in OSPP profile.
|
|
||||||
- Re-enable FIREFOX and JRE product in build.
|
|
||||||
- Change test suite logging message about missing profile from ERROR to WARNING.
|
|
||||||
- Build only one version of SCAP content at a time.
|
|
||||||
|
|
||||||
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
|
|
||||||
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
|
|
||||||
|
|
||||||
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
|
|
||||||
- Ported changelog from late 8.0 builds.
|
|
||||||
- Disabled build of the OL8 product, updated other components of the cmake invocation.
|
|
||||||
|
|
||||||
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
|
|
||||||
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
|
|
||||||
|
|
||||||
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
|
|
||||||
- Assign CCE to rules from OSPP profile which were missing the identifier.
|
|
||||||
- Fix regular expression for Audit rules ordering
|
|
||||||
- Account for Audit rules flags parameter position within syscall
|
|
||||||
- Add remediations for Audit rules file path
|
|
||||||
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
|
|
||||||
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
|
|
||||||
- Add a Bash remediation for Audit rules that require ordering
|
|
||||||
|
|
||||||
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
|
|
||||||
- Assign CCE identifier to rules used by RHEL8 profiles.
|
|
||||||
|
|
||||||
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
|
|
||||||
- Fixed Crypto Policy OVAL for NSS
|
|
||||||
- Got rid of rules requiring packages dropped in RHEL8.
|
|
||||||
- Profile descriptions fixes.
|
|
||||||
|
|
||||||
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
|
|
||||||
- Update applicable platforms in crypto policy tests
|
|
||||||
|
|
||||||
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
|
|
||||||
- Introduce Podman backend for SSG Test suite
|
|
||||||
- Update bind and libreswan crypto policy test scenarios
|
|
||||||
|
|
||||||
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
|
|
||||||
- Further fix of profiles descriptions, so they don't contain literal '\'.
|
|
||||||
- Removed obsolete sshd rule from the OSPP profile.
|
|
||||||
|
|
||||||
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
|
|
||||||
- Fixed profiles descriptions, so they don't contain literal '\n'.
|
|
||||||
- Made the configure_kerberos_crypto_policy OVAL more robust.
|
|
||||||
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
|
|
||||||
|
|
||||||
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
|
|
||||||
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
|
|
||||||
|
|
||||||
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
|
|
||||||
- Added FIPS mode rule for the OSPP profile.
|
|
||||||
- Split the installed_OS_is certified rule.
|
|
||||||
- Explicitly disabled OSP13, RHV4 and Example products.
|
|
||||||
|
|
||||||
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
|
|
||||||
- Add missing kickstart files for RHEL8
|
|
||||||
- Disable profiles that are not in good shape for RHEL8
|
|
||||||
|
|
||||||
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
|
|
||||||
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
|
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
|
||||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
|
||||||
- System-wide crypto policies are introduced for RHEL8
|
- Fix man page build dependency on derivative content
|
||||||
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
|
|
||||||
|
|
||||||
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
|
* Mon Oct 01 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
|
||||||
- Fix man page and package description
|
|
||||||
|
|
||||||
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
|
|
||||||
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
|
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
|
||||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
|
||||||
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles
|
- Fix Licence of this package
|
||||||
|
|
||||||
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
|
* Wed Jul 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-1
|
||||||
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
|
- Update to latest upstream SCAP-Security-Guide-0.1.40 release:
|
||||||
- Only build content for rhel8 products
|
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.40
|
||||||
|
- Update to use Python3 for build.
|
||||||
|
|
||||||
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
|
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.39-3
|
||||||
- Update build of rhel8 content
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
|
* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-2
|
||||||
- Enable build of rhel8 content
|
- Add python version to python2-jinja2 package
|
||||||
|
|
||||||
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
|
* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-1
|
||||||
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
|
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
|
||||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
|
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
|
||||||
- Fix spec file to build using Python 3
|
|
||||||
- Fix License because upstream changed to BSD-3
|
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-2
|
||||||
|
- Add python version to python package prefixes
|
||||||
|
|
||||||
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
|
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
|
||||||
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
|
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
|
||||||
|
Loading…
Reference in New Issue
Block a user