Compare commits
No commits in common. "imports/c8-beta/scap-security-guide-0.1.54-5.el8" and "c8" have entirely different histories.
imports/c8
...
c8
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,2 +1,3 @@
|
||||
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.54.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.77.tar.bz2
|
||||
|
||||
@ -1,2 +1,3 @@
|
||||
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
9c53524d1f6741913b19394fad9216f25f3ae05d SOURCES/scap-security-guide-0.1.54.tar.bz2
|
||||
17274daaa588330aa4df9a4d8df5ef448e40a696 SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
|
||||
3422596a0d3e3c2b68aa33683819b20b9a0c3ab0 SOURCES/scap-security-guide-0.1.77.tar.bz2
|
||||
|
||||
@ -1,109 +0,0 @@
|
||||
From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 3 Dec 2020 14:35:47 +0100
|
||||
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
|
||||
|
||||
---
|
||||
rhel8/CMakeLists.txt | 6 ------
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
rhel8/profiles/cjis.profile | 2 +-
|
||||
rhel8/profiles/ism_o.profile | 2 +-
|
||||
rhel8/profiles/rhelh-stig.profile | 2 +-
|
||||
rhel8/profiles/rhelh-vpp.profile | 2 +-
|
||||
rhel8/profiles/rht-ccp.profile | 2 +-
|
||||
rhel8/profiles/standard.profile | 2 +-
|
||||
11 files changed, 10 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
|
||||
index d61689c97..5e444a101 100644
|
||||
--- a/rhel8/CMakeLists.txt
|
||||
+++ b/rhel8/CMakeLists.txt
|
||||
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
|
||||
ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
|
||||
ssg_build_html_table_by_ref(${PRODUCT} "anssi")
|
||||
|
||||
-ssg_build_html_nistrefs_table(${PRODUCT} "standard")
|
||||
ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
|
||||
ssg_build_html_nistrefs_table(${PRODUCT} "stig")
|
||||
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
|
||||
-
|
||||
ssg_build_html_cce_table(${PRODUCT})
|
||||
|
||||
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index ccad93d67..6a854378c 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'ANSSI BP-028 (high)'
|
||||
|
||||
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
|
||||
index 035d2705b..c6475f33e 100644
|
||||
--- a/rhel8/profiles/cjis.profile
|
||||
+++ b/rhel8/profiles/cjis.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
metadata:
|
||||
version: 5.4
|
||||
diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile
|
||||
index a3c427c01..4605dea3b 100644
|
||||
--- a/rhel8/profiles/ism_o.profile
|
||||
+++ b/rhel8/profiles/ism_o.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
metadata:
|
||||
SMEs:
|
||||
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
|
||||
index 1efca5f44..c3d0b0964 100644
|
||||
--- a/rhel8/profiles/rhelh-stig.profile
|
||||
+++ b/rhel8/profiles/rhelh-stig.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
|
||||
|
||||
diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile
|
||||
index 2baee6d66..8592d7aaf 100644
|
||||
--- a/rhel8/profiles/rhelh-vpp.profile
|
||||
+++ b/rhel8/profiles/rhelh-vpp.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
|
||||
|
||||
diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
|
||||
index c84579592..164ec98c4 100644
|
||||
--- a/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/rhel8/profiles/rht-ccp.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
|
||||
|
||||
diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
|
||||
index a63ae2cf3..da669bb84 100644
|
||||
--- a/rhel8/profiles/standard.profile
|
||||
+++ b/rhel8/profiles/standard.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
63
SOURCES/fix_scap_delta_tailoring.patch
Normal file
63
SOURCES/fix_scap_delta_tailoring.patch
Normal file
@ -0,0 +1,63 @@
|
||||
From 452ee249e43dc3ce5d1f052ed528a084f5a3657f Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 25 Feb 2025 16:55:19 +0100
|
||||
Subject: create_delta_scap_tailoring: pass path to build_config.yml explicitly
|
||||
when calling the script from cmake
|
||||
|
||||
---
|
||||
cmake/SSGCommon.cmake | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index c5c2f0d55d..81ff323b82 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -658,7 +658,7 @@ macro(ssg_build_disa_delta PRODUCT PROFILE)
|
||||
add_custom_command(
|
||||
OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml"
|
||||
COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --root "${CMAKE_SOURCE_DIR}" --product "${PRODUCT}" --manual "${DISA_SCAP_REF}" --profile "${PROFILE}" --reference "stigid" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml" --quiet --build-root ${CMAKE_BINARY_DIR} --resolved-rules-dir
|
||||
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --root "${CMAKE_SOURCE_DIR}" --product "${PRODUCT}" --manual "${DISA_SCAP_REF}" --profile "${PROFILE}" --reference "stigid" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml" --quiet --build-root ${CMAKE_BINARY_DIR} --resolved-rules-dir -c ${CMAKE_BINARY_DIR}/build_config.yml
|
||||
DEPENDS "${PRODUCT}-content"
|
||||
COMMENT "[${PRODUCT}-generate-ssg-delta] generating disa tailoring file"
|
||||
)
|
||||
--
|
||||
2.48.1
|
||||
|
||||
|
||||
From 6def0e0e54497f32b8be6b1511fe98e324bc057d Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 25 Feb 2025 17:08:54 +0100
|
||||
Subject: create_scap_delta_tailoring: remove hardcoded build directory
|
||||
|
||||
---
|
||||
utils/create_scap_delta_tailoring.py | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/utils/create_scap_delta_tailoring.py b/utils/create_scap_delta_tailoring.py
|
||||
index ee85a57bc0..04ca197c5f 100755
|
||||
--- a/utils/create_scap_delta_tailoring.py
|
||||
+++ b/utils/create_scap_delta_tailoring.py
|
||||
@@ -24,8 +24,8 @@ NS = {'scap': ssg.constants.datastream_namespace,
|
||||
PROFILE = 'stig'
|
||||
|
||||
|
||||
-def get_profile(product, profile_name):
|
||||
- ds_root = ET.parse(os.path.join(SSG_ROOT, 'build', 'ssg-{product}-ds.xml'
|
||||
+def get_profile(product, profile_name, build_root):
|
||||
+ ds_root = ET.parse(os.path.join(build_root, 'ssg-{product}-ds.xml'
|
||||
.format(product=product))).getroot()
|
||||
profiles = ds_root.findall(
|
||||
'.//{{{scap}}}component/{{{xccdf}}}Benchmark/{{{xccdf}}}Profile'.format(
|
||||
@@ -177,7 +177,7 @@ def create_tailoring(args):
|
||||
args.build_root)
|
||||
needed_rules = filter_out_implemented_rules(known_rules, NS, benchmark_root)
|
||||
needed_rule_names_set = set(rulename for ruleset in needed_rules.values() for rulename in ruleset)
|
||||
- profile_root = get_profile(args.product, args.profile)
|
||||
+ profile_root = get_profile(args.product, args.profile, args.build_root)
|
||||
selections = profile_root.findall('xccdf-1.2:select', NS)
|
||||
tailoring_profile = setup_tailoring_profile(args.profile_id, profile_root)
|
||||
for selection in selections:
|
||||
--
|
||||
2.48.1
|
||||
|
||||
@ -1,187 +0,0 @@
|
||||
From 8e43a6a6432a8cbeb5742771ddbd0856669a7878 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 17 Feb 2021 15:36:59 +0100
|
||||
Subject: [PATCH] Remove kickstart for profile not shipped
|
||||
|
||||
RHEL-8 ANSSI high is not shipped at the momment
|
||||
---
|
||||
.../ssg-rhel8-anssi_bp28_high-ks.cfg | 167 ------------------
|
||||
1 file changed, 167 deletions(-)
|
||||
delete mode 100644 rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
deleted file mode 100644
|
||||
index b5c09253a..000000000
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ /dev/null
|
||||
@@ -1,167 +0,0 @@
|
||||
-# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8
|
||||
-# Version: 0.0.1
|
||||
-# Date: 2020-12-10
|
||||
-#
|
||||
-# Based on:
|
||||
-# https://pykickstart.readthedocs.io/en/latest/
|
||||
-# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
-
|
||||
-# Specify installation method to use for installation
|
||||
-# To use a different one comment out the 'url' one below, update
|
||||
-# the selected choice with proper options & un-comment it
|
||||
-#
|
||||
-# Install from an installation tree on a remote server via FTP or HTTP:
|
||||
-# --url the URL to install from
|
||||
-#
|
||||
-# Example:
|
||||
-#
|
||||
-# url --url=http://192.168.122.1/image
|
||||
-#
|
||||
-# Modify concrete URL in the above example appropriately to reflect the actual
|
||||
-# environment machine is to be installed in
|
||||
-#
|
||||
-# Other possible / supported installation methods:
|
||||
-# * install from the first CD-ROM/DVD drive on the system:
|
||||
-#
|
||||
-# cdrom
|
||||
-#
|
||||
-# * install from a directory of ISO images on a local drive:
|
||||
-#
|
||||
-# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||
-#
|
||||
-# * install from provided NFS server:
|
||||
-#
|
||||
-# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||
-#
|
||||
-# Set language to use during installation and the default language to use on the installed system (required)
|
||||
-lang en_US.UTF-8
|
||||
-
|
||||
-# Set system keyboard type / layout (required)
|
||||
-keyboard us
|
||||
-
|
||||
-# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||
-# --onboot enable device at a boot time
|
||||
-# --device device to be activated and / or configured with the network command
|
||||
-# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||
-# --noipv6 disable IPv6 on this device
|
||||
-#
|
||||
-# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
||||
-# "--bootproto=static" must be used. For example:
|
||||
-# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
-#
|
||||
-network --onboot yes --bootproto dhcp --noipv6
|
||||
-
|
||||
-# Set the system's root password (required)
|
||||
-# Plaintext password is: server
|
||||
-# Refer to e.g.
|
||||
-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
-# to see how to create encrypted password form for different plaintext password
|
||||
-rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
|
||||
-
|
||||
-# The selected profile will restrict root login
|
||||
-# Add a user that can login and escalate privileges
|
||||
-# Plaintext password is: admin123
|
||||
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
-
|
||||
-# Configure firewall settings for the system (optional)
|
||||
-# --enabled reject incoming connections that are not in response to outbound requests
|
||||
-# --ssh allow sshd service through the firewall
|
||||
-firewall --enabled --ssh
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
-# Set the system time zone (required)
|
||||
-timezone --utc America/New_York
|
||||
-
|
||||
-# Specify how the bootloader should be installed (required)
|
||||
-# Plaintext password is: password
|
||||
-# Refer to e.g.
|
||||
-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
-# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
-
|
||||
-# Initialize (format) all disks (optional)
|
||||
-zerombr
|
||||
-
|
||||
-# The following partition layout scheme assumes disk of size 20GB or larger
|
||||
-# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||
-#
|
||||
-# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||
-# --linux erase all Linux partitions
|
||||
-# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||
-clearpart --linux --initlabel
|
||||
-
|
||||
-# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
-part pv.01 --grow --size=1
|
||||
-
|
||||
-# Create a Logical Volume Management (LVM) group (optional)
|
||||
-volgroup VolGroup --pesize=4096 pv.01
|
||||
-
|
||||
-# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
-# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
-# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /tmp Located On Separate Partition
|
||||
-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/tmp Located On Separate Partition
|
||||
-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
-# Ensure /var/log Located On Separate Partition
|
||||
-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/log/audit Located On Separate Partition
|
||||
-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
-logvol swap --name=swap --vgname=VolGroup --size=2016
|
||||
-
|
||||
-# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
|
||||
-# content - security policies - on the installed system.This add-on has been enabled by default
|
||||
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
|
||||
-# functionality will automatically be installed. However, by default, no policies are enforced,
|
||||
-# meaning that no checks are performed during or after installation unless specifically configured.
|
||||
-#
|
||||
-# Important
|
||||
-# Applying a security policy is not necessary on all systems. This screen should only be used
|
||||
-# when a specific policy is mandated by your organization rules or government regulations.
|
||||
-# Unlike most other commands, this add-on does not accept regular options, but uses key-value
|
||||
-# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
|
||||
-# Values can be optionally enclosed in single quotes (') or double quotes (").
|
||||
-#
|
||||
-# The following keys are recognized by the add-on:
|
||||
-# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
|
||||
-# - If the content-type is scap-security-guide, the add-on will use content provided by the
|
||||
-# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
|
||||
-# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
|
||||
-# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
|
||||
-# xccdf-id - ID of the benchmark you want to use.
|
||||
-# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
|
||||
-# profile - ID of the profile to be applied. Use default to apply the default profile.
|
||||
-# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
|
||||
-# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
|
||||
-#
|
||||
-# The following is an example %addon org_fedora_oscap section which uses content from the
|
||||
-# scap-security-guide on the installation media:
|
||||
-%addon org_fedora_oscap
|
||||
- content-type = scap-security-guide
|
||||
- profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high
|
||||
-%end
|
||||
-
|
||||
-# Packages selection (%packages section is required)
|
||||
-%packages
|
||||
-
|
||||
-# Require @Base
|
||||
-@Base
|
||||
-
|
||||
-%end # End of %packages section
|
||||
-
|
||||
-# Reboot after the installation is complete (optional)
|
||||
-# --eject attempt to eject CD or DVD media before rebooting
|
||||
-reboot --eject
|
||||
--
|
||||
2.26.2
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -1,137 +0,0 @@
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
index 7da2e067a6..5d01170aab 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
@@ -33,6 +33,7 @@ references:
|
||||
cis@sle12: 5.2.4
|
||||
cis@sle15: 5.2.6
|
||||
stigid@rhel7: RHEL-07-040710
|
||||
+ stigid@ol7: OL07-00-040710
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
disa: CCI-000366
|
||||
nist: CM-6(b)
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
index 87c3cb7f5a..5683676bfc 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
@@ -23,7 +23,6 @@ identifiers:
|
||||
cce@sle12: CCE-83017-4
|
||||
|
||||
references:
|
||||
- stigid@ol7: OL07-00-040710
|
||||
cui: 3.1.13
|
||||
disa: CCI-000366
|
||||
nist: CM-6(a),AC-17(a),AC-17(2)
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
index 50c7d689af..42cb32e30e 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,rhel7,rhel8,wrlinux1019,wrlinux8
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019,wrlinux8
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated Ciphers'
|
||||
|
||||
@@ -51,7 +51,6 @@ identifiers:
|
||||
cce@rhel8: CCE-81032-5
|
||||
|
||||
references:
|
||||
- stigid@ol7: OL07-00-040110
|
||||
cis: 5.2.10
|
||||
cjis: 5.5.6
|
||||
cui: 3.1.13,3.13.11,3.13.8
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
index 0751064179..73de17af35 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel7
|
||||
+prodtype: ol7,rhel7
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated Ciphers'
|
||||
|
||||
@@ -32,6 +32,7 @@ references:
|
||||
disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
|
||||
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
stigid@rhel7: RHEL-07-040110
|
||||
+ stigid@ol7: OL07-00-040110
|
||||
|
||||
ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
index c490756daf..13997f9418 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,rhel7,rhel8,sle12,wrlinux1019
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,sle12,wrlinux1019
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated MACs'
|
||||
|
||||
@@ -46,7 +46,6 @@ identifiers:
|
||||
cce@sle12: CCE-83036-4
|
||||
|
||||
references:
|
||||
- stigid@ol7: OL07-00-040400
|
||||
cis: 5.2.12
|
||||
cui: 3.1.13,3.13.11,3.13.8
|
||||
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
index 88d2d77e14..bd597f0860 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel7
|
||||
+prodtype: ol7,rhel7
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated MACs'
|
||||
|
||||
@@ -25,6 +25,7 @@ references:
|
||||
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
||||
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
|
||||
stigid@rhel7: RHEL-07-040400
|
||||
+ stigid@ol7: OL07-00-040400
|
||||
|
||||
ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
index 7267d2443a..b0fe065d86 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
@@ -26,6 +26,7 @@ identifiers:
|
||||
references:
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stig@rhel7: RHEL-07-040711
|
||||
+ stig@ol7: OL07-00-040711
|
||||
disa: CCI-000366
|
||||
nist: CM-6(b)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
index 820a942220..dfcbbafd17 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
@@ -36,4 +36,4 @@ ocil_clause: 'the group ownership is incorrect'
|
||||
ocil: |-
|
||||
To verify the assigned home directory of all interactive users is group-
|
||||
owned by that users primary GID, run the following command:
|
||||
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
|
||||
+ <pre># ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
index 7d5778d4f6..37cb36cda3 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
@@ -30,4 +30,4 @@ ocil_clause: 'the user ownership is incorrect'
|
||||
|
||||
ocil: |-
|
||||
To verify the home directory ownership, run the following command:
|
||||
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
|
||||
+ <pre># ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
|
||||
|
||||
@ -1,34 +0,0 @@
|
||||
From cb299dd0ce870d55cb530bc5e5ad9a9f52734bf4 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 09:42:26 +0100
|
||||
Subject: [PATCH] Add metadata to ANSSI R35
|
||||
|
||||
Current implementation cannot diferentiate between system and
|
||||
standard user umask, they are both set to the same value.
|
||||
---
|
||||
controls/anssi.yml | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index dec9d68c99..621996e985 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -572,10 +572,18 @@ controls:
|
||||
only be read by the user and his group, and be editable only by his owner).
|
||||
The umask for users must be set to 0077 (any file created by a user is
|
||||
readable and editable only by him).
|
||||
+ notes: >-
|
||||
+ There is no simple way to check and remediate different umask values for
|
||||
+ system and standard users reliably.
|
||||
+ The different values are set in a conditional clause in a shell script
|
||||
+ (e.g. /etc/profile or /etc/bashrc).
|
||||
+ The current implementation checks and fixes both umask to the same value.
|
||||
+ automated: partially
|
||||
rules:
|
||||
- var_accounts_user_umask=077
|
||||
- accounts_umask_etc_login_defs
|
||||
- accounts_umask_etc_profile
|
||||
+ - accounts_umask_etc_bashrc
|
||||
|
||||
- id: R36
|
||||
title: Rights to access sensitive content files
|
||||
@ -1,94 +0,0 @@
|
||||
From d5673795ba2f87ae1649c84591ee13d7876af0b2 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 14:01:03 +0100
|
||||
Subject: [PATCH 1/3] add rule
|
||||
|
||||
---
|
||||
.../sysctl_kernel_modules_disabled/rule.yml | 34 +++++++++++++++++++
|
||||
1 file changed, 34 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..1811c43815
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
@@ -0,0 +1,34 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,ol8,rhel7,rhel8
|
||||
+
|
||||
+title: 'Disable loading and unloading of kernel modules'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ Malicious kernel modules can have a significant impact on system security and
|
||||
+ availability. Disabling loading of kernel modules prevents this threat. Note
|
||||
+ that once this option has been set, it cannot be reverted without doing a
|
||||
+ system reboot. Make sure that all needed kernel modules are loaded before
|
||||
+ setting this option.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83392-1
|
||||
+ cce@rhel8: CCE-83397-0
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R24)
|
||||
+
|
||||
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: kernel.modules_disabled
|
||||
+ sysctlval: '1'
|
||||
+ datatype: int
|
||||
|
||||
From 5e4f6a4a0b70c07488595080cfd98fdbfb02e352 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 14:01:15 +0100
|
||||
Subject: [PATCH 2/3] add rule to anssi profile
|
||||
|
||||
---
|
||||
controls/anssi.yml | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 9e2b899b6d..f435459af3 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -483,7 +483,8 @@ controls:
|
||||
sysctl kernel.modules_disabledconf:
|
||||
Prohibition of loading modules (except those already loaded to this point)
|
||||
kernel.modules_disabled = 1
|
||||
- # rules: TBD
|
||||
+ rules:
|
||||
+ - sysctl_kernel_modules_disabled
|
||||
|
||||
- id: R25
|
||||
level: enhanced
|
||||
|
||||
From a4a91fbb7f23854e4f80819a023c1adc4e7110c5 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 14 Jan 2021 09:30:01 +0100
|
||||
Subject: [PATCH 3/3] remove cces from pool
|
||||
|
||||
---
|
||||
shared/references/cce-redhat-avail.txt | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 4dbec8255c..137d975a3d 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -1,5 +1,3 @@
|
||||
-CCE-83392-1
|
||||
-CCE-83397-0
|
||||
CCE-83398-8
|
||||
CCE-83399-6
|
||||
CCE-83404-4
|
||||
@ -1,117 +0,0 @@
|
||||
From 2df02e3988525eee8360db1e829655a761adb461 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 19 Oct 2020 17:25:05 +0200
|
||||
Subject: [PATCH 1/2] var pam unix remember, add selector
|
||||
|
||||
Add selector "2" to var_password_pam_unix_remember.
|
||||
---
|
||||
.../accounts/accounts-pam/var_password_pam_unix_remember.var | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
||||
index f533a36963..6e7abb3b78 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
||||
@@ -18,6 +18,7 @@ options:
|
||||
"0": "0"
|
||||
10: 10
|
||||
24: 24
|
||||
+ 2: 2
|
||||
4: 4
|
||||
5: 5
|
||||
default: 5
|
||||
|
||||
From 5503605d2f9e56b07686a9f1f2f3f8418e61b8cb Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 19 Oct 2020 17:29:47 +0200
|
||||
Subject: [PATCH 2/2] Select rules for password strenght management
|
||||
|
||||
Rule selection is based on ANSSI DAT-NT-001
|
||||
---
|
||||
controls/anssi.yml | 45 ++++++++++++++++++-
|
||||
.../var_password_pam_minlen.var | 2 +
|
||||
...ar_accounts_password_minlen_login_defs.var | 2 +
|
||||
3 files changed, 48 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 26bc7f4694..3ccd0f8cb3 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -281,7 +281,50 @@ controls:
|
||||
- id: R18
|
||||
level: minimal
|
||||
title: Administrator password robustness
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ The rules selected below establish a general password strength baseline of 100 bits,
|
||||
+ inspired by DAT-NT-001 and the "Password Strenght Calculator"
|
||||
+ (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).
|
||||
+
|
||||
+ The baseline should be reviewed and tailored to the system's use case and needs.
|
||||
+ automated: partially
|
||||
+ rules:
|
||||
+ # Renew passwords every 90 days
|
||||
+ - var_accounts_maximum_age_login_defs=90
|
||||
+ - accounts_maximum_age_login_defs
|
||||
+
|
||||
+ # Ensure passwords with minimum of 18 characters
|
||||
+ - var_password_pam_minlen=18
|
||||
+ - accounts_password_pam_minlen
|
||||
+ # Enforce password lenght for new accounts
|
||||
+ - var_accounts_password_minlen_login_defs=18
|
||||
+ - accounts_password_minlen_login_defs
|
||||
+ # Require at Least 1 Special Character in Password
|
||||
+ - var_password_pam_ocredit=1
|
||||
+ - accounts_password_pam_ocredit
|
||||
+ # Require at Least 1 Numeric Character in Password
|
||||
+ - var_password_pam_dcredit=1
|
||||
+ - accounts_password_pam_dcredit
|
||||
+ # Require at Least 1 Uppercase Character in Password
|
||||
+ - var_password_pam_ucredit=1
|
||||
+ - accounts_password_pam_ucredit
|
||||
+ # Require at Least 1 Lowercase Character in Password
|
||||
+ - var_password_pam_lcredit=1
|
||||
+ - accounts_password_pam_lcredit
|
||||
+
|
||||
+ # Lock out users after 3 failed authentication attempts within 15 min
|
||||
+ - var_accounts_passwords_pam_faillock_fail_interval=900
|
||||
+ - accounts_passwords_pam_faillock_interval
|
||||
+ - var_accounts_passwords_pam_faillock_deny=3
|
||||
+ - accounts_passwords_pam_faillock_deny
|
||||
+ - accounts_passwords_pam_faillock_deny_root
|
||||
+ # Automatically unlock users after 15 min to prevent DoS
|
||||
+ - var_accounts_passwords_pam_faillock_unlock_time=900
|
||||
+ - accounts_passwords_pam_faillock_unlock_time
|
||||
+
|
||||
+ # Do not reuse last two passwords
|
||||
+ - var_password_pam_unix_remember=2
|
||||
+ - accounts_password_pam_unix_remember
|
||||
|
||||
- id: R19
|
||||
level: intermediary
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
||||
index f506a090bb..873d907ab9 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
||||
@@ -15,6 +15,8 @@ options:
|
||||
12: 12
|
||||
14: 14
|
||||
15: 15
|
||||
+ 18: 18
|
||||
+ 20: 20
|
||||
6: 6
|
||||
7: 7
|
||||
8: 8
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
||||
index f41ff432ec..662c53b076 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
||||
@@ -13,6 +13,8 @@ options:
|
||||
12: 12
|
||||
14: 14
|
||||
15: 15
|
||||
+ 18: 18
|
||||
+ 20: 20
|
||||
6: 6
|
||||
8: 8
|
||||
default: 15
|
||||
@ -1,47 +0,0 @@
|
||||
From 76aede9cea67f4ea37eaa05ad74bf80273638de2 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 28 Oct 2020 18:52:13 +0100
|
||||
Subject: [PATCH] Select rules for ANSSI R37
|
||||
|
||||
These rules are better fit for R37 than R38.
|
||||
R37 is about binaries designed to be used with setuid or setgid bits.
|
||||
R38 is about reducing number of binaries with setuid root.
|
||||
---
|
||||
controls/anssi.yml | 17 ++++++++++++-----
|
||||
1 file changed, 12 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 26bc7f4694..4648b98dff 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -590,8 +590,17 @@ controls:
|
||||
|
||||
- id: R37
|
||||
level: minimal
|
||||
- title: Executables with setuid and/or setgid bits
|
||||
- # rules: TBD
|
||||
+ title: Executables with setuid and setgid bits
|
||||
+ notes: >-
|
||||
+ Only programs specifically designed to be used with setuid or setgid bits can have these privilege bits set.
|
||||
+ This requirement considers apropriate for setuid and setgid bits the binaries that are installed from
|
||||
+ recognized and authorized repositories (covered in R15).
|
||||
+ The remediation resets the sticky bit to intended value by vendor/developer, any finding after remediation
|
||||
+ should be reviewed.
|
||||
+ automated: yes
|
||||
+ rules:
|
||||
+ - file_permissions_unauthorized_suid
|
||||
+ - file_permissions_unauthorized_sgid
|
||||
|
||||
- id: R38
|
||||
level: enhanced
|
||||
@@ -600,9 +609,7 @@ controls:
|
||||
Setuid executables should be as small as possible. When it is expected
|
||||
that only the administrators of the machine execute them, the setuid bit
|
||||
must be removed and prefer them commands like su or sudo, which can be monitored
|
||||
- rules:
|
||||
- - file_permissions_unauthorized_suid
|
||||
- - file_permissions_unauthorized_sgid
|
||||
+ # rules: TBD
|
||||
|
||||
- id: R39
|
||||
level: intermediary
|
||||
@ -1,37 +0,0 @@
|
||||
From 4d67a36c0a07ef8e07b8760b0e883bd42c0177ec Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 11:04:05 +0100
|
||||
Subject: [PATCH] Add variable selector and notes for R29
|
||||
|
||||
---
|
||||
controls/anssi.yml | 14 +++++++++++++-
|
||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index dec9d68c99..3303d70295 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -521,10 +521,22 @@ controls:
|
||||
description: >-
|
||||
Remote user sessions (shell access, graphical clients) must be closed
|
||||
after a certain period of inactivity.
|
||||
+ notes: >-
|
||||
+ There is no specific capability to check remote user inactivity, but some shells allow the
|
||||
+ session inactivity time out to be configured via TMOUT variable.
|
||||
+ In OpenSSH < 8.2 the inactivity of the user is implied from the network inactivity.
|
||||
+ The server is configured to disconnect sessions if no data has been received within the idle timeout,
|
||||
+ regardless of liveness status (ClientAliveCountMax is 0 and ClientAliveInterval is > 0).
|
||||
+ In OpenSSH >= 8.2 there is no way to disconnect sessions based on client liveness.
|
||||
+ The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to
|
||||
+ "don't disconnect network inactive sessions". The server either probes for the client liveness
|
||||
+ or keeps inactive sessions connected.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- accounts_tmout
|
||||
+ - var_accounts_tmout=10_min
|
||||
- sshd_set_idle_timeout
|
||||
- - sshd_idle_timeout_value=5_minutes
|
||||
+ - sshd_idle_timeout_value=10_minutes
|
||||
- sshd_set_keepalive
|
||||
|
||||
- id: R30
|
||||
@ -1,106 +0,0 @@
|
||||
From 389d25be2b69e4e5c828d9b0b72573e0962cabb4 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 17:07:48 +0100
|
||||
Subject: [PATCH 1/4] add rule
|
||||
|
||||
---
|
||||
.../sshd_x11_use_localhost/rule.yml | 43 +++++++++++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 3 --
|
||||
2 files changed, 43 insertions(+), 3 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..67131e509c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
@@ -0,0 +1,43 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,ol7,rhel7
|
||||
+
|
||||
+title: 'Prevent remote hosts from connecting to the proxy display'
|
||||
+
|
||||
+description: |-
|
||||
+ The SSH daemon should prevent remote hosts from connecting to the proxy
|
||||
+ display. Make sure that the option <tt>X11UseLocalhost</tt> is set to
|
||||
+ <tt>yes</tt> within the SSH server configuration file.
|
||||
+
|
||||
+
|
||||
+rationale: |-
|
||||
+ When X11 forwarding is enabled, there may be additional exposure to the
|
||||
+ server and client displays if the sshd proxy display is configured to listen
|
||||
+ on the wildcard address. By default, sshd binds the forwarding server to the
|
||||
+ loopback address and sets the hostname part of the <tt>DISPLAY</tt>
|
||||
+ environment variable to localhost. This prevents remote hosts from
|
||||
+ connecting to the proxy display.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83404-4
|
||||
+
|
||||
+references:
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+ stig@rhel7: RHEL-07-040711
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6(b)
|
||||
+
|
||||
+ocil_clause: "the display proxy is listening on wildcard address"
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_sshd_option(default="yes", option="X11UseLocalhost", value="yes") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: sshd_lineinfile
|
||||
+ vars:
|
||||
+ missing_parameter_pass: 'false'
|
||||
+ parameter: X11UseLocalhost
|
||||
+ rule_id: sshd_x11_use_localhost
|
||||
+ value: 'yes'
|
||||
From a40b9e68305afb52c2c674848b71cbcaee25fe32 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 17:08:08 +0100
|
||||
Subject: [PATCH 2/4] add rule to the stig profile
|
||||
|
||||
---
|
||||
rhel7/profiles/stig.profile | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 88b50d5ef4..817e0982e5 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -286,6 +286,7 @@ selections:
|
||||
- package_vsftpd_removed
|
||||
- package_tftp-server_removed
|
||||
- sshd_enable_x11_forwarding
|
||||
+ - sshd_x11_use_localhost
|
||||
- tftpd_uses_secure_mode
|
||||
- package_xorg-x11-server-common_removed
|
||||
- xwindows_runlevel_target
|
||||
|
||||
From be2f96b80fbfb74708381e15a2a6e76c3952bbb5 Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Fri, 15 Jan 2021 07:46:09 +0100
|
||||
Subject: [PATCH 4/4] Update
|
||||
linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
|
||||
Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
|
||||
---
|
||||
.../services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
index 67131e509c..7267d2443a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
@@ -37,7 +37,7 @@ ocil: |-
|
||||
template:
|
||||
name: sshd_lineinfile
|
||||
vars:
|
||||
- missing_parameter_pass: 'false'
|
||||
+ missing_parameter_pass: 'true'
|
||||
parameter: X11UseLocalhost
|
||||
rule_id: sshd_x11_use_localhost
|
||||
value: 'yes'
|
||||
@ -1,196 +0,0 @@
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 851993512..515a4a172 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -850,7 +850,8 @@ controls:
|
||||
- id: R63
|
||||
level: intermediary
|
||||
title: Explicit arguments in sudo specifications
|
||||
- # rules: TBD
|
||||
+ rules:
|
||||
+ - sudoers_explicit_command_args
|
||||
|
||||
- id: R64
|
||||
level: intermediary
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 000000000..94a0cb421
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
|
||||
@@ -0,0 +1,25 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("Check that sudoers doesn't contain commands without arguments specified") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="Make sure that no commands are without arguments" test_ref="test_{{{ rule_id }}}" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="Make sure that no command in user spec is without any argument"
|
||||
+ id="test_{{{ rule_id }}}" version="1">
|
||||
+ <ind:object object_ref="object_{{{ rule_id }}}" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_{{{ rule_id }}}" version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
||||
+ <!-- The regex idea: <user list> <host list> = (<the whole command with at least an arg>,)* <command with no arg> <end of the line or next command spec we don't care about>
|
||||
+ where a command is <runas spec>?<anything except ,>+,
|
||||
+ - ',' is a command delimiter, while
|
||||
+ The last capturing group holds the offending command without args.
|
||||
+ -->
|
||||
+ <ind:pattern operation="pattern match">^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
|
||||
new file mode 100644
|
||||
index 000000000..a0590c8b0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
|
||||
@@ -0,0 +1,46 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: "Explicit arguments in sudo specifications"
|
||||
+
|
||||
+description: |-
|
||||
+ All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.
|
||||
+ If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Any argument can modify quite significantly the behavior of a program, whether regarding the
|
||||
+ realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To
|
||||
+ avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the
|
||||
+ level of its specification.
|
||||
+
|
||||
+ For example, on some systems, the kernel messages are only accessible by root.
|
||||
+ If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted
|
||||
+ in order to prevent the user from flushing the buffer through the -c option:
|
||||
+ <pre>
|
||||
+ user ALL = dmesg ""
|
||||
+ </pre>
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83631-2
|
||||
+ cce@rhel8: CCE-83632-0
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R63)
|
||||
+
|
||||
+ocil_clause: '/etc/sudoers file contains user specifications that allow execution of commands with any arguments'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To determine if arguments that commands can be executed with are restricted, run the following command:
|
||||
+ <pre>$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/</pre>
|
||||
+ The command should return no output.
|
||||
+
|
||||
+platform: sudo
|
||||
+
|
||||
+warnings:
|
||||
+ - general:
|
||||
+ This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.
|
||||
+
|
||||
+ - general:
|
||||
+ The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that.
|
||||
+ For example, <code>root ALL=(ALL) echo 1\,2</code> allows root to execute <code>echo 1,2</code>, but the check would interpret it as two commands <code>echo 1\</code> and <code>2</code>.
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
|
||||
new file mode 100644
|
||||
index 000000000..b0d05b2a5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+
|
||||
+echo '#jen,!fred ALL, !SERVERS = !/bin/sh' > /etc/sudoers
|
||||
+echo '# somebody ALL=/bin/ls, (!bob,alice) !/bin/cat, /bin/dog' > /etc/sudoers.d/foo
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..c6f885f9f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'somebody ALL=/bin/ls, (!bob,alice) /bin/cat arg, /bin/dog' > /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..fce851f55
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog, /bin/cat arg' > /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..baf66468d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_all
|
||||
+# remediation = none
|
||||
+# packages = sudo
|
||||
+
|
||||
+# The val1\,val2 is the first argument of the /bin/dog command that contains a comma.
|
||||
+# Our check tends to interpret the comma as commad delimiter, so the dog arg is val1\
|
||||
+# and val2 is another command in the user spec.
|
||||
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog val1\,val2, /bin/cat ""' > /etc/sudoers
|
||||
+
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..9a04a205a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'jen,!fred ALL,SERVERS = /bin/sh ' > /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
|
||||
new file mode 100644
|
||||
index 000000000..4a3a7c94b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+
|
||||
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
|
||||
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
|
||||
+echo 'nobody ALL=/bin/ls arg arg, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..9643a3337
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
|
||||
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
|
||||
+echo 'nobody ALL=/bin/ls, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
|
||||
+
|
||||
+echo 'user ALL = ALL' > /etc/sudoers.d/bar
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 4dbec8255..94a116b59 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -140,8 +140,6 @@ CCE-83626-2
|
||||
CCE-83627-0
|
||||
CCE-83628-8
|
||||
CCE-83629-6
|
||||
-CCE-83631-2
|
||||
-CCE-83632-0
|
||||
CCE-83633-8
|
||||
CCE-83634-6
|
||||
CCE-83635-3
|
||||
@ -1,213 +0,0 @@
|
||||
From afa3b348ed0af551967870f48334afbabecb89ab Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Thu, 4 Feb 2021 09:43:51 +0100
|
||||
Subject: [PATCH] Extend /var partition to 3GB in rhel8 kickstarts
|
||||
|
||||
---
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-cis-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 4 ++--
|
||||
9 files changed, 18 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
index 52af3ef47e..4e249f61e2 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
index 702f23d4dc..a1511b157a 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
index b875692944..981d291847 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
index 4a114aebb6..7fc4945518 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
|
||||
index bf3804b3fa..ee3a20bcc2 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
|
||||
@@ -109,7 +109,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -117,7 +117,7 @@ logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptio
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048
|
||||
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
index 6e0f83ebb7..8e4b92584f 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
|
||||
index 119e98364f..ec490c38ee 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
|
||||
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
|
||||
index 21a50f52fd..386cbcc169 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
|
||||
@@ -103,13 +103,13 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
|
||||
# CCE-26557-9: Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# CCE-26435-8: Ensure /tmp Located On Separate Partition
|
||||
logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
|
||||
# CCE-26639-5: Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# CCE-26215-4: Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
index a3e5e5fec1..28f7ff0927 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
@ -1,426 +0,0 @@
|
||||
From fad3761eff3a3857bb4201ac90642dfc37217a2a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 09:41:26 +0100
|
||||
Subject: [PATCH 1/4] Remove extra configurations from ANSSI minimal ks
|
||||
|
||||
- No need to restrict IPv6
|
||||
- Root login is not restricted
|
||||
- Simplify boot command
|
||||
- Simplify paritioning
|
||||
- No requirement to enforce use of SELinux
|
||||
---
|
||||
.../ssg-rhel7-anssi_nt28_minimal-ks.cfg | 46 ++--------------
|
||||
.../ssg-rhel8-anssi_bp28_minimal-ks.cfg | 53 +------------------
|
||||
2 files changed, 5 insertions(+), 94 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
|
||||
index 4160ac094c..9bc4eae44f 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
|
||||
@@ -54,7 +54,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||
+network --onboot yes --device eth0 --bootproto dhcp
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -62,26 +62,12 @@ network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||
# encrypted password form for different plaintext password
|
||||
rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
|
||||
|
||||
-# The selected profile will restrict root login
|
||||
-# Add a user that can login and escalate privileges
|
||||
-# Plaintext password is: admin123
|
||||
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
-
|
||||
-# Configure firewall settings for the system (optional)
|
||||
-# --enabled reject incoming connections that are not in response to outbound requests
|
||||
-# --ssh allow sshd service through the firewall
|
||||
-firewall --enabled --ssh
|
||||
-
|
||||
# Set up the authentication options for the system (required)
|
||||
# --enableshadow enable shadowed passwords by default
|
||||
# --passalgo hash / crypt algorithm for new passwords
|
||||
# See the manual page for authconfig for a complete list of possible options.
|
||||
authconfig --enableshadow --passalgo=sha512
|
||||
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +75,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
@@ -103,33 +89,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
-part pv.01 --grow --size=1
|
||||
-
|
||||
-# Create a Logical Volume Management (LVM) group (optional)
|
||||
-volgroup VolGroup --pesize=4096 pv.01
|
||||
-
|
||||
-# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
-# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
-# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /tmp Located On Separate Partition
|
||||
-logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
|
||||
-# Ensure /var/tmp Located On Separate Partition
|
||||
-logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
-# Ensure /var/log Located On Separate Partition
|
||||
-logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /var/log/audit Located On Separate Partition
|
||||
-logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
|
||||
-logvol swap --name=lv_swap --vgname=VolGroup --size=2016
|
||||
+autopart
|
||||
|
||||
# Despite the ID referencing NT-28, the profile is aligned to BP-028
|
||||
%addon org_fedora_oscap
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
index 7fc4945518..1d62b55d55 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -61,26 +58,6 @@ network --onboot yes --bootproto dhcp
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
|
||||
|
||||
-# The selected profile will restrict root login
|
||||
-# Add a user that can login and escalate privileges
|
||||
-# Plaintext password is: admin123
|
||||
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
-
|
||||
-# Configure firewall settings for the system (optional)
|
||||
-# --enabled reject incoming connections that are not in response to outbound requests
|
||||
-# --ssh allow sshd service through the firewall
|
||||
-firewall --enabled --ssh
|
||||
-
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +66,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
@@ -103,33 +80,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
-part pv.01 --grow --size=1
|
||||
-
|
||||
-# Create a Logical Volume Management (LVM) group (optional)
|
||||
-volgroup VolGroup --pesize=4096 pv.01
|
||||
-
|
||||
-# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
-# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
-# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /tmp Located On Separate Partition
|
||||
-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/tmp Located On Separate Partition
|
||||
-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
-# Ensure /var/log Located On Separate Partition
|
||||
-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/log/audit Located On Separate Partition
|
||||
-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
-logvol swap --name=swap --vgname=VolGroup --size=2016
|
||||
+autopart
|
||||
|
||||
# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
|
||||
# content - security policies - on the installed system.This add-on has been enabled by default
|
||||
|
||||
From 3884ae59b59d69c928acb1d3d52a3f68834aa709 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 09:53:20 +0100
|
||||
Subject: [PATCH 2/4] Align ANSSI kickstarts with intermediary level
|
||||
|
||||
- Simplify boot command
|
||||
- No requirement to enforce use of SELinux
|
||||
---
|
||||
.../ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 6 +-----
|
||||
.../ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 17 ++---------------
|
||||
2 files changed, 3 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
index ab654410b5..20c4c59a78 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
@@ -78,10 +78,6 @@ firewall --enabled --ssh
|
||||
# See the manual page for authconfig for a complete list of possible options.
|
||||
authconfig --enableshadow --passalgo=sha512
|
||||
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +85,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
index 981d291847..3a241b06f4 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -52,7 +49,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --bootproto dhcp
|
||||
+network --onboot yes --bootproto dhcp --noipv6
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
|
||||
# --ssh allow sshd service through the firewall
|
||||
firewall --enabled --ssh
|
||||
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +76,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
|
||||
From 745ec9b02bb45ca89d2705e79b36b17060508765 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 14:03:09 +0100
|
||||
Subject: [PATCH 3/4] Align ANSSI kickstarts with enhanced level
|
||||
|
||||
- Keep restricting IPv6
|
||||
- Audit enabled during boot
|
||||
- No requirement to enforce use of SELinux
|
||||
---
|
||||
.../ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 6 +-----
|
||||
.../ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 17 ++---------------
|
||||
2 files changed, 3 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
index 2e75873a28..1d35bedb91 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
@@ -78,10 +78,6 @@ firewall --enabled --ssh
|
||||
# See the manual page for authconfig for a complete list of possible options.
|
||||
authconfig --enableshadow --passalgo=sha512
|
||||
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +85,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limig=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
index 4e249f61e2..728946ecb7 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -52,7 +49,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --bootproto dhcp
|
||||
+network --onboot yes --bootproto dhcp --noipv6
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
|
||||
# --ssh allow sshd service through the firewall
|
||||
firewall --enabled --ssh
|
||||
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +76,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
|
||||
From 6804cdfbdea9992daf48fe545d8005be9f37bc56 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 14:08:15 +0100
|
||||
Subject: [PATCH 4/4] Align ANSSI Kickstarts with high level
|
||||
|
||||
---
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 13 ++-----------
|
||||
2 files changed, 3 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
index 745dcbd058..73225c2fab 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
@@ -89,7 +89,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
index a1511b157a..cd0eff2625 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -52,7 +49,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --bootproto dhcp
|
||||
+network --onboot yes --bootproto dhcp --noipv6
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -71,12 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
|
||||
# --ssh allow sshd service through the firewall
|
||||
firewall --enabled --ssh
|
||||
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
# State of SELinux on the installed system (optional)
|
||||
# Defaults to enforcing
|
||||
selinux --enforcing
|
||||
@@ -89,7 +80,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
@ -1,57 +0,0 @@
|
||||
From 01b1ade0e5713bf3f11f78cc0ca7e43f74eb8a46 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 01:02:48 +0100
|
||||
Subject: [PATCH 1/2] Drop remediation for sysctl_kernel_modules_disabled
|
||||
|
||||
Remediating this during kickstart install time renders the machine
|
||||
unbootable.
|
||||
---
|
||||
.../restrictions/sysctl_kernel_modules_disabled/rule.yml | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
index 1811c43815..34e8290f74 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
@@ -32,3 +32,6 @@ template:
|
||||
sysctlvar: kernel.modules_disabled
|
||||
sysctlval: '1'
|
||||
datatype: int
|
||||
+ backends:
|
||||
+ # Automated remediation of this rule disrupts installs via kickstart
|
||||
+ bash: 'off'
|
||||
|
||||
From 77eeafd1af1445a185651c77b143bce0004badda Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 09:23:17 +0100
|
||||
Subject: [PATCH 2/2] Add warning why rule has no remediation
|
||||
|
||||
Rule sysctl_kernel_modules_disabled disrupts the install and boot
|
||||
process if remediated during installation.
|
||||
---
|
||||
.../restrictions/sysctl_kernel_modules_disabled/rule.yml | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
index 34e8290f74..438cd2759e 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
@@ -26,6 +26,11 @@ references:
|
||||
|
||||
platform: machine
|
||||
|
||||
+warnings:
|
||||
+ - general:
|
||||
+ This rule doesn't come with Bash remediation.
|
||||
+ Remediating this rule during the installation process disrupts the install and boot process.
|
||||
+
|
||||
template:
|
||||
name: sysctl
|
||||
vars:
|
||||
@@ -33,5 +38,5 @@ template:
|
||||
sysctlval: '1'
|
||||
datatype: int
|
||||
backends:
|
||||
- # Automated remediation of this rule disrupts installs via kickstart
|
||||
+ # Automated remediation of this rule during installations disrupts the first boot
|
||||
bash: 'off'
|
||||
@ -1,62 +0,0 @@
|
||||
From eea787e1453b19aa949903c39189479538fbbab9 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 12 Feb 2021 10:36:10 +0100
|
||||
Subject: [PATCH] remove mrules disabling vfat file systems from cis profiles
|
||||
|
||||
---
|
||||
rhcos4/profiles/moderate.profile | 1 -
|
||||
rhel7/profiles/cis.profile | 3 +--
|
||||
rhel8/profiles/cis.profile | 4 ++--
|
||||
sle15/profiles/cis.profile | 1 -
|
||||
4 files changed, 3 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/rhcos4/profiles/moderate.profile b/rhcos4/profiles/moderate.profile
|
||||
index 4e715cae9a..966e092c97 100644
|
||||
--- a/rhcos4/profiles/moderate.profile
|
||||
+++ b/rhcos4/profiles/moderate.profile
|
||||
@@ -627,4 +627,3 @@ selections:
|
||||
- kernel_module_squashfs_disabled
|
||||
- kernel_module_udf_disabled
|
||||
- kernel_module_usb-storage_disabled
|
||||
- - kernel_module_vfat_disabled
|
||||
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
||||
index 22d5117546..093d2b5759 100644
|
||||
--- a/rhel7/profiles/cis.profile
|
||||
+++ b/rhel7/profiles/cis.profile
|
||||
@@ -46,8 +46,7 @@ selections:
|
||||
#### 1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored)
|
||||
- kernel_module_udf_disabled
|
||||
|
||||
- #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored)
|
||||
- - kernel_module_vfat_disabled
|
||||
+ #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Manual)
|
||||
|
||||
### 1.1.2 Ensure separate partition exists for /tmp (Scored)
|
||||
- partition_for_tmp
|
||||
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
|
||||
index 9ceeb74f9a..e96d2fbb9d 100644
|
||||
--- a/rhel8/profiles/cis.profile
|
||||
+++ b/rhel8/profiles/cis.profile
|
||||
@@ -31,8 +31,8 @@ selections:
|
||||
#### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
|
||||
- kernel_module_cramfs_disabled
|
||||
|
||||
- #### 1.1.1.2 Ensure mounting of vFAT flesystems is limited (Not Scored)
|
||||
- - kernel_module_vfat_disabled
|
||||
+ #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
|
||||
+
|
||||
|
||||
#### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
|
||||
- kernel_module_squashfs_disabled
|
||||
diff --git a/sle15/profiles/cis.profile b/sle15/profiles/cis.profile
|
||||
index 9a0efedbdd..fa9ff3b775 100644
|
||||
--- a/sle15/profiles/cis.profile
|
||||
+++ b/sle15/profiles/cis.profile
|
||||
@@ -25,7 +25,6 @@ selections:
|
||||
- kernel_module_udf_disabled
|
||||
|
||||
#### 1.1.1.4 Ensure mounting of vFAT flesystems is limited (Not Scored)
|
||||
- - kernel_module_vfat_disabled
|
||||
|
||||
### 1.1.2 Ensure /tmp is configured (Scored)
|
||||
- partition_for_tmp
|
||||
@ -1,24 +0,0 @@
|
||||
From 67f33ad17c234106bb3243af9f63ae478daa11ec Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 25 Jan 2021 18:28:26 +0100
|
||||
Subject: [PATCH] Reassign a new unique CCE identifier to approved macs STIG
|
||||
rule.
|
||||
|
||||
---
|
||||
.../ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml | 2 +-
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
2 files changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
index dc9f7dca7c..88d2d77e14 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
@@ -19,7 +19,7 @@ rationale: |-
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
- cce@rhel7: CCE-83398-8
|
||||
+ cce@rhel7: CCE-83636-1
|
||||
|
||||
references:
|
||||
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
||||
@ -1,39 +0,0 @@
|
||||
From 9c6bdd92d2980aff87d1de0085250078ac131eda Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 16 Feb 2021 15:49:46 +0100
|
||||
Subject: [PATCH] Remove auditd_data_retention_space_left from RHEL8 STIG
|
||||
profile.
|
||||
|
||||
This rule is not aligned with STIG because it checks for space left in
|
||||
megabytes, whereas STIG demands space left in percentage.
|
||||
---
|
||||
rhel8/profiles/stig.profile | 3 ++-
|
||||
tests/data/profile_stability/rhel8/stig.profile | 1 -
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 0aa6f28986..dccfb548b7 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -219,7 +219,8 @@ selections:
|
||||
- package_rsyslog_installed
|
||||
- package_rsyslog-gnutls_installed
|
||||
- rsyslog_remote_loghost
|
||||
- - auditd_data_retention_space_left
|
||||
+ # this rule expects configuration in MB instead percentage as how STIG demands
|
||||
+ # - auditd_data_retention_space_left
|
||||
- auditd_data_retention_space_left_action
|
||||
# remediation fails because default configuration file contains pool instead of server keyword
|
||||
- chronyd_or_ntpd_set_maxpoll
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 55b645b67b..41782dcf3d 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -63,7 +63,6 @@ selections:
|
||||
- auditd_data_disk_full_action
|
||||
- auditd_data_retention_action_mail_acct
|
||||
- auditd_data_retention_max_log_file_action
|
||||
-- auditd_data_retention_space_left
|
||||
- auditd_data_retention_space_left_action
|
||||
- auditd_local_events
|
||||
- auditd_log_format
|
||||
@ -1,43 +0,0 @@
|
||||
From 0f10e6fe07e068f3fac8cb9563141530f3d8b9e8 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 12 Jan 2021 16:23:07 +0100
|
||||
Subject: [PATCH 1/2] remove rule from rhel8 stig
|
||||
|
||||
---
|
||||
rhel8/profiles/stig.profile | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 882c481066..cda0239433 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -45,7 +45,6 @@ selections:
|
||||
- package_audispd-plugins_installed
|
||||
- package_libcap-ng-utils_installed
|
||||
- auditd_audispd_syslog_plugin_activated
|
||||
- - accounts_passwords_pam_faillock_enforce_local
|
||||
- accounts_password_pam_enforce_local
|
||||
- accounts_password_pam_enforce_root
|
||||
|
||||
|
||||
From b558c9030d2f16e59571e1730a3b0350d257d298 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 12 Jan 2021 16:23:25 +0100
|
||||
Subject: [PATCH 2/2] modify profile stability test
|
||||
|
||||
---
|
||||
tests/data/profile_stability/rhel8/stig.profile | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index a4ad24aec2..6676ca497c 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -41,7 +41,6 @@ selections:
|
||||
- accounts_password_set_max_life_existing
|
||||
- accounts_password_set_min_life_existing
|
||||
- accounts_passwords_pam_faillock_deny
|
||||
-- accounts_passwords_pam_faillock_enforce_local
|
||||
- accounts_passwords_pam_faillock_interval
|
||||
- accounts_passwords_pam_faillock_unlock_time
|
||||
- accounts_umask_etc_bashrc
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,843 +0,0 @@
|
||||
From c5f46d9166d0629740deb3cc5c45d3925345df09 Mon Sep 17 00:00:00 2001
|
||||
From: Guang Yee <guang.yee@suse.com>
|
||||
Date: Mon, 11 Jan 2021 12:55:43 -0800
|
||||
Subject: [PATCH] Enable checks and remediations for the following SLES-12
|
||||
STIGs:
|
||||
|
||||
- SLES-12-010030 'banner_etc_issue'
|
||||
- SLES-12-010120 'accounts_max_concurrent_login_sessions'
|
||||
- SLES-12-010450 'encrypt_partitions'
|
||||
- SLES-12-010460 'dir_perms_world_writable_sticky_bits'
|
||||
- SLES-12-010500 'package_aide_installed'
|
||||
- SLES-12-010550 'ensure_gpgcheck_globally_activated'
|
||||
- SLES-12-010580 'kernel_module_usb-storage_disabled'
|
||||
- SLES-12-010599 'package_MFEhiplsm_installed'
|
||||
- SLES-12-010690 'no_files_unowned_by_user'
|
||||
- SLES-12-030000 'package_telnet-server_removed'
|
||||
- SLES-12-030010 'ftp_present_banner'
|
||||
- SLES-12-030050 'sshd_enable_warning_banner'
|
||||
- SLES-12-030110 'sshd_set_loglevel_verbose'
|
||||
- SLES-12-030130 'sshd_print_last_log'
|
||||
- SLES-12-030210 'file_permissions_sshd_pub_key'
|
||||
- SLES-12-030220 'file_permissions_sshd_private_key'
|
||||
- SLES-12-030230 'sshd_enable_strictmodes'
|
||||
- SLES-12-030240 'sshd_use_priv_separation'
|
||||
- SLES-12-030250 'sshd_disable_compression'
|
||||
- SLES-12-030340 'auditd_audispd_encrypt_sent_records'
|
||||
- SLES-12-030360 'sysctl_net_ipv4_conf_all_accept_source_route'
|
||||
- SLES-12-030361 'sysctl_net_ipv6_conf_all_accept_source_route'
|
||||
- SLES-12-030370 'sysctl_net_ipv4_conf_default_accept_source_route'
|
||||
- SLES-12-030420 'sysctl_net_ipv4_conf_default_send_redirects'
|
||||
---
|
||||
.../ftp_present_banner/rule.yml | 1 +
|
||||
.../package_telnet-server_removed/rule.yml | 1 +
|
||||
.../rule.yml | 1 +
|
||||
.../file_permissions_sshd_pub_key/rule.yml | 1 +
|
||||
.../ansible/shared.yml | 2 +-
|
||||
.../sshd_disable_compression/rule.yml | 1 +
|
||||
.../sshd_enable_strictmodes/rule.yml | 1 +
|
||||
.../sshd_enable_warning_banner/rule.yml | 1 +
|
||||
.../ssh_server/sshd_print_last_log/rule.yml | 1 +
|
||||
.../sshd_set_loglevel_verbose/rule.yml | 1 +
|
||||
.../sshd_use_priv_separation/rule.yml | 1 +
|
||||
.../banner_etc_issue/ansible/shared.yml | 2 +-
|
||||
.../banner_etc_issue/rule.yml | 4 ++-
|
||||
.../ansible/shared.yml | 2 +-
|
||||
.../rule.yml | 2 ++
|
||||
.../ansible/shared.yml | 2 +-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../bash/shared.sh | 2 +-
|
||||
.../rule.yml | 2 ++
|
||||
.../files/no_files_unowned_by_user/rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../encrypt_partitions/rule.yml | 8 +++++-
|
||||
.../package_MFEhiplsm_installed/rule.yml | 2 ++
|
||||
.../aide/package_aide_installed/rule.yml | 3 +++
|
||||
.../ansible/sle12.yml | 13 ++++++++++
|
||||
.../rule.yml | 8 +++++-
|
||||
shared/applicability/general.yml | 4 +++
|
||||
.../oval/installed_env_has_zypper_package.xml | 25 +++++++++++++++++++
|
||||
.../kernel_module_disabled/ansible.template | 12 +++++++--
|
||||
.../kernel_module_disabled/bash.template | 9 ++++++-
|
||||
.../kernel_module_disabled/oval.template | 5 ++++
|
||||
sle12/product.yml | 1 +
|
||||
sle12/profiles/stig.profile | 25 +++++++++++++++++++
|
||||
37 files changed, 153 insertions(+), 18 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
||||
create mode 100644 shared/checks/oval/installed_env_has_zypper_package.xml
|
||||
|
||||
diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
||||
index 35ba09b0d0..3590a085b6 100644
|
||||
--- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
||||
+++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
||||
@@ -19,6 +19,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80248-8
|
||||
+ cce@sle12: CCE-83059-6
|
||||
|
||||
references:
|
||||
stigid@sle12: SLES-12-030010
|
||||
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
index 317eecdc3d..619b3f0b7d 100644
|
||||
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
@@ -27,6 +27,7 @@ severity: high
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27165-0
|
||||
cce@rhel8: CCE-82182-7
|
||||
+ cce@sle12: CCE-83084-4
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-021710
|
||||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
index 2e52219ece..d460411667 100644
|
||||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27485-2
|
||||
cce@rhel8: CCE-82424-3
|
||||
+ cce@sle12: CCE-83058-8
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040420
|
||||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||||
index e59ddc0770..b9e07d71af 100644
|
||||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||||
@@ -13,6 +13,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27311-0
|
||||
cce@rhel8: CCE-82428-4
|
||||
+ cce@sle12: CCE-83057-0
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040410
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
||||
index e07e436d60..f8d422c6c4 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||||
index fe7e67c1c2..f8eec6a074 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||||
@@ -21,6 +21,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80224-9
|
||||
cce@rhel8: CCE-80895-6
|
||||
+ cce@sle12: CCE-83062-0
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040470
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||||
index 22b98c71a2..601f6a0ca2 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80222-3
|
||||
cce@rhel8: CCE-80904-6
|
||||
+ cce@sle12: CCE-83060-4
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040450
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||||
index 2199d61ca9..c93ef6340f 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||||
@@ -20,6 +20,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27314-4
|
||||
cce@rhel8: CCE-80905-3
|
||||
+ cce@sle12: CCE-83066-1
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040170
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||||
index a0b8ed38ae..0ce5da30b2 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||||
@@ -17,6 +17,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80225-6
|
||||
cce@rhel8: CCE-82281-7
|
||||
+ cce@sle12: CCE-83083-6
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040360
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
||||
index 28ce48de8e..2180398855 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
||||
@@ -22,6 +22,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-82419-3
|
||||
cce@rhel8: CCE-82420-1
|
||||
+ cce@sle12: CCE-83077-8
|
||||
|
||||
references:
|
||||
srg: SRG-OS-000032-GPOS-00013
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
||||
index 14d1acfd22..d65ddb6cd1 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80223-1
|
||||
cce@rhel8: CCE-80908-7
|
||||
+ cce@sle12: CCE-83061-2
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040460
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
||||
index f3a0c85ea5..ff6b6eab42 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
||||
# reboot = false
|
||||
# strategy = unknown
|
||||
# complexity = low
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||||
index a86ede70f8..637d8ee528 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Modify the System Login Banner'
|
||||
|
||||
@@ -52,6 +52,7 @@ identifiers:
|
||||
cce@rhel7: CCE-27303-7
|
||||
cce@rhel8: CCE-80763-6
|
||||
cce@rhcos4: CCE-82555-4
|
||||
+ cce@sle12: CCE-83054-7
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-010050
|
||||
@@ -64,6 +65,7 @@ references:
|
||||
srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007
|
||||
vmmsrg: SRG-OS-000023-VMM-000060,SRG-OS-000024-VMM-000070
|
||||
stigid@rhel7: RHEL-07-010050
|
||||
+ stigid@sle12: SLES-12-010030
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
|
||||
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
|
||||
cobit5: DSS05.04,DSS05.10,DSS06.10
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
||||
index 9d50a9d20c..536ac29569 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||||
index e598f4e8cb..32412aa482 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||||
@@ -20,6 +20,7 @@ severity: low
|
||||
identifiers:
|
||||
cce@rhel7: CCE-82041-5
|
||||
cce@rhel8: CCE-80955-8
|
||||
+ cce@sle12: CCE-83065-3
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040000
|
||||
@@ -30,6 +31,7 @@ references:
|
||||
srg: SRG-OS-000027-GPOS-00008
|
||||
vmmsrg: SRG-OS-000027-VMM-000080
|
||||
stigid@rhel7: RHEL-07-040000
|
||||
+ stigid@sle12: SLES-12-010120
|
||||
isa-62443-2013: 'SR 3.1,SR 3.8'
|
||||
isa-62443-2009: 4.3.3.4
|
||||
cobit5: DSS01.05,DSS05.02
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
||||
index 23bcdf8641..007b23ba24 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4
|
||||
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_sle
|
||||
# reboot = false
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
||||
index 4c27eb11fd..1943a00fb2 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
||||
|
||||
title: 'Encrypt Audit Records Sent With audispd Plugin'
|
||||
|
||||
@@ -26,6 +26,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80540-8
|
||||
cce@rhel8: CCE-80926-9
|
||||
+ cce@sle12: CCE-83063-8
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-030310
|
||||
@@ -33,6 +34,7 @@ references:
|
||||
nist: AU-9(3),CM-6(a)
|
||||
srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
|
||||
stigid@rhel7: RHEL-07-030310
|
||||
+ stigid@sle12: SLES-12-030340
|
||||
ospp: FAU_GEN.1.1.c
|
||||
|
||||
ocil_clause: 'audispd is not encrypting audit records when sent over the network'
|
||||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||||
index a3f78cb910..8767a5226f 100644
|
||||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
||||
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80179-5
|
||||
cce@rhel8: CCE-81013-5
|
||||
cce@rhcos4: CCE-82480-5
|
||||
+ cce@sle12: CCE-83078-6
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040830
|
||||
@@ -33,6 +34,7 @@ references:
|
||||
nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040830
|
||||
+ stigid@sle12: SLES-12-030361
|
||||
isa-62443-2013: 'SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||||
index 0cd3dbc143..7bc4e3b9b7 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-27434-0
|
||||
cce@rhel8: CCE-81011-9
|
||||
cce@rhcos4: CCE-82478-9
|
||||
+ cce@sle12: CCE-83064-6
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040610
|
||||
@@ -33,6 +34,7 @@ references:
|
||||
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040610
|
||||
+ stigid@sle12: SLES-12-030360
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||||
index c48ec8de3d..f7ee2e9818 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80162-1
|
||||
cce@rhel8: CCE-80920-2
|
||||
cce@rhcos4: CCE-82479-7
|
||||
+ cce@sle12: CCE-83079-4
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040620
|
||||
@@ -34,6 +35,7 @@ references:
|
||||
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040620
|
||||
+ stigid@sle12: SLES-12-030370
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||||
index ddf6b07758..861c3485f3 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default'
|
||||
|
||||
@@ -19,6 +19,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80999-6
|
||||
cce@rhel8: CCE-80921-0
|
||||
cce@rhcos4: CCE-82485-4
|
||||
+ cce@sle12: CCE-83086-9
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040650
|
||||
@@ -31,6 +32,7 @@ references:
|
||||
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040650
|
||||
+ stigid@sle12: SLES-12-030420
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
||||
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
||||
index 0a829df187..e49942d1cc 100644
|
||||
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_rhel
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle
|
||||
df --local -P | awk '{if (NR!=1) print $6}' \
|
||||
| xargs -I '{}' find '{}' -xdev -type d \
|
||||
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
|
||||
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||||
index d04df8df86..5bb3cf3713 100644
|
||||
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||||
@@ -34,6 +34,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80130-8
|
||||
cce@rhel8: CCE-80783-4
|
||||
cce@rhcos4: CCE-82753-5
|
||||
+ cce@sle12: CCE-83047-1
|
||||
|
||||
references:
|
||||
cis@rhe8: 1.1.21
|
||||
@@ -46,6 +47,7 @@ references:
|
||||
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
||||
cis-csc: 12,13,14,15,16,18,3,5
|
||||
cis@sle15: 1.1.22
|
||||
+ stigid@sle12: SLES-12-010460
|
||||
|
||||
ocil_clause: 'any world-writable directories are missing the sticky bit'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||||
index e664cf9215..faab0b8822 100644
|
||||
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Ensure All Files Are Owned by a User'
|
||||
|
||||
@@ -24,6 +24,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80134-0
|
||||
cce@rhel8: CCE-83499-4
|
||||
+ cce@sle12: CCE-83072-9
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-020320
|
||||
@@ -40,6 +41,7 @@ references:
|
||||
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
||||
cis-csc: 11,12,13,14,15,16,18,3,5,9
|
||||
cis@sle15: 6.1.11
|
||||
+ stigid@sle12: SLES-12-010690
|
||||
|
||||
ocil_clause: 'files exist that are not owned by a valid user'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||||
index c78b570efb..24e77cc74e 100644
|
||||
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Disable Modprobe Loading of USB Storage Driver'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-27277-3
|
||||
cce@rhel8: CCE-80835-2
|
||||
cce@rhcos4: CCE-82719-6
|
||||
+ cce@sle12: CCE-83069-5
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-020100
|
||||
@@ -39,6 +40,7 @@ references:
|
||||
cis-csc: 1,12,15,16,5
|
||||
cis@rhel8: 1.1.23
|
||||
cis@sle15: 1.1.3
|
||||
+ stigid@sle12: SLES-12-010580
|
||||
|
||||
{{{ complete_ocil_entry_module_disable(module="usb-storage") }}}
|
||||
|
||||
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
index 80d1856778..fe370a4323 100644
|
||||
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4,sle12
|
||||
|
||||
title: 'Encrypt Partitions'
|
||||
|
||||
@@ -14,6 +14,7 @@ description: |-
|
||||
option is selected the system will prompt for a passphrase to use in
|
||||
decrypting the partition. The passphrase will subsequently need to be entered manually
|
||||
every time the system boots.
|
||||
+ {{% if product != "sle12" %}}
|
||||
<br /><br />
|
||||
For automated/unattended installations, it is possible to use Kickstart by adding
|
||||
the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to the definition of each partition to be
|
||||
@@ -26,11 +27,14 @@ description: |-
|
||||
<br /><br />
|
||||
By default, the <tt>Anaconda</tt> installer uses <tt>aes-xts-plain64</tt> cipher
|
||||
with a minimum <tt>512</tt> bit key size which should be compatible with FIPS enabled.
|
||||
+ {{% endif %}}
|
||||
<br /><br />
|
||||
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
|
||||
the {{{ full_name }}} Documentation web site:<br />
|
||||
{{% if product in ["ol7", "ol8"] %}}
|
||||
{{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54670/html/ol7-encrypt-sec.html") }}}.
|
||||
+ {{% elif product == "sle12" %}}
|
||||
+ {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
|
||||
{{% else %}}
|
||||
{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
|
||||
{{% endif %}}
|
||||
@@ -45,6 +49,7 @@ severity: high
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27128-8
|
||||
cce@rhel8: CCE-80789-1
|
||||
+ cce@sle12: CCE-83046-3
|
||||
|
||||
references:
|
||||
cui: 3.13.16
|
||||
@@ -58,6 +63,7 @@ references:
|
||||
isa-62443-2013: 'SR 3.4,SR 4.1,SR 5.2'
|
||||
cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06
|
||||
cis-csc: 13,14
|
||||
+ stigid@sle12: SLES-12-010450
|
||||
|
||||
ocil_clause: 'partitions do not have a type of crypto_LUKS'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
||||
index f96cfc925b..c0bf1ee908 100644
|
||||
--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80368-4
|
||||
+ cce@sle12: CCE-83071-1
|
||||
|
||||
references:
|
||||
disa: CCI-000366,CCI-001263
|
||||
@@ -31,6 +32,7 @@ references:
|
||||
iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.3,A.12.5.1,A.12.6.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.7,A.14.2.8,A.15.2.1,A.16.1.1,A.16.1.2,A.16.1.3,A.16.1.4,A.16.1.5,A.16.1.6,A.16.1.7,A.18.1.4,A.18.2.2,A.18.2.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,Clause 16.1.2,Clause 7.4'
|
||||
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
|
||||
stigid@rhel7: RHEL-07-020019
|
||||
+ stigid@sle12: SLES-12-010599
|
||||
|
||||
ocil_clause: 'the HBSS HIPS module is not installed'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
index 699992b48c..23e939bbec 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
@@ -14,6 +14,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27096-7
|
||||
cce@rhel8: CCE-80844-4
|
||||
+ cce@sle12: CCE-83048-9
|
||||
|
||||
references:
|
||||
cis@rhel8: 1.4.1
|
||||
@@ -30,6 +31,8 @@ references:
|
||||
srg: SRG-OS-000363-GPOS-00150
|
||||
cis@sle15: 1.4.1
|
||||
ism: 1034,1288,1341,1417
|
||||
+ stigid@sle12: SLES-12-010500
|
||||
+ disa@sle12: CCI-002699
|
||||
|
||||
ocil_clause: 'the package is not installed'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
||||
new file mode 100644
|
||||
index 0000000000..6fca48166a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
||||
@@ -0,0 +1,13 @@
|
||||
+# platform = multi_platform_sle
|
||||
+# reboot = false
|
||||
+# strategy = unknown
|
||||
+# complexity = low
|
||||
+# disruption = medium
|
||||
+- name: Ensure GPG check is globally activated (zypper)
|
||||
+ ini_file:
|
||||
+ dest: /etc/zypp/zypp.conf
|
||||
+ section: main
|
||||
+ option: gpgcheck
|
||||
+ value: 1
|
||||
+ no_extra_spaces: yes
|
||||
+ create: False
|
||||
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||||
index 24cef5499c..1f86aff1e9 100644
|
||||
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||||
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||
|
||||
title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration'
|
||||
|
||||
@@ -33,6 +33,7 @@ severity: high
|
||||
identifiers:
|
||||
cce@rhel7: CCE-26989-4
|
||||
cce@rhel8: CCE-80790-9
|
||||
+ cce@sle12: CCE-83068-7
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-020050
|
||||
@@ -54,6 +55,7 @@ references:
|
||||
iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
|
||||
cis-csc: 11,2,3,9
|
||||
anssi: BP28(R15)
|
||||
+ stigid@sle12: SLES-12-010550
|
||||
|
||||
ocil_clause: 'GPG checking is not enabled'
|
||||
|
||||
@@ -66,4 +68,8 @@ ocil: |-
|
||||
<tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is
|
||||
disabled.
|
||||
|
||||
+{{% if product == 'sle12' %}}
|
||||
+platform: zypper
|
||||
+{{% else %}}
|
||||
platform: yum
|
||||
+{{% endif %}}
|
||||
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
|
||||
index a6581fd713..7382b7dd30 100644
|
||||
--- a/shared/applicability/general.yml
|
||||
+++ b/shared/applicability/general.yml
|
||||
@@ -74,3 +74,7 @@ cpes:
|
||||
title: "Package yum is installed"
|
||||
check_id: installed_env_has_yum_package
|
||||
|
||||
+ - zypper:
|
||||
+ name: "cpe:/a:zypper"
|
||||
+ title: "Package zypper is installed"
|
||||
+ check_id: installed_env_has_zypper_package
|
||||
diff --git a/shared/checks/oval/installed_env_has_zypper_package.xml b/shared/checks/oval/installed_env_has_zypper_package.xml
|
||||
new file mode 100644
|
||||
index 0000000000..cf14e6af3c
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_has_zypper_package.xml
|
||||
@@ -0,0 +1,25 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory"
|
||||
+ id="installed_env_has_zypper_package" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Package zypper is installed</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_sle</platform>
|
||||
+ </affected>
|
||||
+ <description>Checks if package zypper is installed.</description>
|
||||
+ <reference ref_id="cpe:/a:zypper" source="CPE" />
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion comment="Package zypper is installed" test_ref="test_env_has_zypper_installed" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
|
||||
+ id="test_env_has_zypper_installed" version="1"
|
||||
+ comment="system has package zypper installed">
|
||||
+ <linux:object object_ref="obj_env_has_zypper_installed" />
|
||||
+ </linux:rpminfo_test>
|
||||
+ <linux:rpminfo_object id="obj_env_has_zypper_installed" version="1">
|
||||
+ <linux:name>zypper</linux:name>
|
||||
+ </linux:rpminfo_object>
|
||||
+</def-group>
|
||||
diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template
|
||||
index 47deee6e54..c4a83ad325 100644
|
||||
--- a/shared/templates/kernel_module_disabled/ansible.template
|
||||
+++ b/shared/templates/kernel_module_disabled/ansible.template
|
||||
@@ -1,12 +1,20 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
|
||||
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
# reboot = true
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
# disruption = medium
|
||||
+{{% if product == "sle12" %}}
|
||||
+- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
|
||||
+ lineinfile:
|
||||
+ create: yes
|
||||
+ dest: "/etc/modprobe.d/50-blacklist.conf"
|
||||
+ regexp: '^blacklist {{{ KERNMODULE }}}$'
|
||||
+ line: "blacklist {{{ KERNMODULE }}}"
|
||||
+{{% else %}}
|
||||
- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
|
||||
lineinfile:
|
||||
create: yes
|
||||
dest: "/etc/modprobe.d/{{{ KERNMODULE }}}.conf"
|
||||
regexp: '{{{ KERNMODULE }}}'
|
||||
line: "install {{{ KERNMODULE }}} /bin/true"
|
||||
-
|
||||
+{{% endif %}}
|
||||
diff --git a/shared/templates/kernel_module_disabled/bash.template b/shared/templates/kernel_module_disabled/bash.template
|
||||
index 42c0830b5f..f70a9925cd 100644
|
||||
--- a/shared/templates/kernel_module_disabled/bash.template
|
||||
+++ b/shared/templates/kernel_module_disabled/bash.template
|
||||
@@ -1,11 +1,18 @@
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
# reboot = true
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
# disruption = medium
|
||||
+{{% if product == "sle12" %}}
|
||||
+if ! LC_ALL=C grep -q -m 1 "^blacklist {{{ KERNMODULE }}}$" /etc/modprobe.d/50-blacklist.conf ; then
|
||||
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/50-blacklist.conf
|
||||
+ echo "blacklist {{{ KERNMODULE }}}" >> /etc/modprobe.d/50-blacklist.conf
|
||||
+fi
|
||||
+{{% else %}}
|
||||
if LC_ALL=C grep -q -m 1 "^install {{{ KERNMODULE }}}" /etc/modprobe.d/{{{ KERNMODULE }}}.conf ; then
|
||||
sed -i 's/^install {{{ KERNMODULE }}}.*/install {{{ KERNMODULE }}} /bin/true/g' /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
||||
else
|
||||
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
||||
echo "install {{{ KERNMODULE }}} /bin/true" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
||||
fi
|
||||
+{{% endif %}}
|
||||
diff --git a/shared/templates/kernel_module_disabled/oval.template b/shared/templates/kernel_module_disabled/oval.template
|
||||
index e5a7aaa8b4..737ae3c796 100644
|
||||
--- a/shared/templates/kernel_module_disabled/oval.template
|
||||
+++ b/shared/templates/kernel_module_disabled/oval.template
|
||||
@@ -54,9 +54,14 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_kernmod_{{{ KERNMODULE }}}_disabled"
|
||||
version="1" comment="kernel module {{{ KERNMODULE }}} disabled">
|
||||
+ {{% if product == "sle12" %}}
|
||||
+ <ind:filepath>/etc/modprobe.d/50-blacklist.conf</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^blacklist\s+{{{ KERNMODULE }}}$</ind:pattern>
|
||||
+ {{% else %}}
|
||||
<ind:path>/etc/modprobe.d</ind:path>
|
||||
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||
<ind:pattern operation="pattern match">^\s*install\s+{{{ KERNMODULE }}}\s+(/bin/false|/bin/true)$</ind:pattern>
|
||||
+ {{% endif %}}
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
diff --git a/sle12/product.yml b/sle12/product.yml
|
||||
index e465a6d687..d83ad88c21 100644
|
||||
--- a/sle12/product.yml
|
||||
+++ b/sle12/product.yml
|
||||
@@ -9,6 +9,7 @@ profiles_root: "./profiles"
|
||||
init_system: "systemd"
|
||||
|
||||
pkg_manager: "zypper"
|
||||
+pkg_manager_config_file: "/etc/zypp/zypp.conf"
|
||||
oval_feed_url: "https://support.novell.com/security/oval/suse.linux.enterprise.12.xml"
|
||||
|
||||
cpes_root: "../shared/applicability"
|
||||
diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
|
||||
index 6cf3339569..15c4f70336 100644
|
||||
--- a/sle12/profiles/stig.profile
|
||||
+++ b/sle12/profiles/stig.profile
|
||||
@@ -12,34 +12,59 @@ selections:
|
||||
- account_temp_expire_date
|
||||
- accounts_have_homedir_login_defs
|
||||
- accounts_logon_fail_delay
|
||||
+ - accounts_max_concurrent_login_sessions
|
||||
- accounts_maximum_age_login_defs
|
||||
+ - accounts_minimum_age_login_defs
|
||||
- accounts_no_uid_except_zero
|
||||
- accounts_password_set_max_life_existing
|
||||
- accounts_password_set_min_life_existing
|
||||
- accounts_umask_etc_login_defs
|
||||
+ - auditd_audispd_encrypt_sent_records
|
||||
- auditd_data_disk_full_action
|
||||
- auditd_data_retention_action_mail_acct
|
||||
- auditd_data_retention_space_left
|
||||
+ - banner_etc_issue
|
||||
- banner_etc_motd
|
||||
+ - dir_perms_world_writable_sticky_bits
|
||||
- disable_ctrlaltdel_reboot
|
||||
+ - encrypt_partitions
|
||||
+ - ensure_gpgcheck_globally_activated
|
||||
+ - file_permissions_sshd_private_key
|
||||
+ - file_permissions_sshd_pub_key
|
||||
+ - ftp_present_banner
|
||||
- gnome_gdm_disable_automatic_login
|
||||
- grub2_password
|
||||
- grub2_uefi_password
|
||||
- installed_OS_is_vendor_supported
|
||||
+ - kernel_module_usb-storage_disabled
|
||||
- no_empty_passwords
|
||||
+ - no_files_unowned_by_user
|
||||
- no_host_based_files
|
||||
- no_user_host_based_files
|
||||
+ - package_MFEhiplsm_installed
|
||||
+ - package_aide_installed
|
||||
- package_audit-audispd-plugins_installed
|
||||
- package_audit_installed
|
||||
+ - package_telnet-server_removed
|
||||
- postfix_client_configure_mail_alias
|
||||
- security_patches_up_to_date
|
||||
- service_auditd_enabled
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
+ - sshd_disable_compression
|
||||
- sshd_disable_empty_passwords
|
||||
- sshd_disable_user_known_hosts
|
||||
- sshd_do_not_permit_user_env
|
||||
+ - sshd_enable_strictmodes
|
||||
+ - sshd_enable_warning_banner
|
||||
- sshd_enable_x11_forwarding
|
||||
+ - sshd_print_last_log
|
||||
- sshd_set_idle_timeout
|
||||
- sshd_set_keepalive
|
||||
+ - sshd_set_loglevel_verbose
|
||||
+ - sshd_use_priv_separation
|
||||
- sudo_remove_no_authenticate
|
||||
- sudo_remove_nopasswd
|
||||
+ - sysctl_net_ipv4_conf_all_accept_source_route
|
||||
+ - sysctl_net_ipv4_conf_default_accept_source_route
|
||||
+ - sysctl_net_ipv4_conf_default_send_redirects
|
||||
+ - sysctl_net_ipv6_conf_all_accept_source_route
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,259 +0,0 @@
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
index abcebf60c7..50c7d689af 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
@@ -61,7 +61,6 @@ references:
|
||||
nist-csf: PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-1,PR.PT-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
|
||||
- stigid@rhel7: RHEL-07-040110
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
||||
isa-62443-2009: 4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
|
||||
cobit5: APO11.04,APO13.01,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10,MEA02.01
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..4796a2eab1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
|
||||
@@ -0,0 +1,13 @@
|
||||
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: "Configure sshd to use approved ciphers"
|
||||
+ lineinfile:
|
||||
+ path: /etc/ssh/sshd_config
|
||||
+ line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'
|
||||
+ state: present
|
||||
+ regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
|
||||
+ create: True
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..8f751ed516
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+
|
||||
+if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then
|
||||
+ sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..53ff0a2a9e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
|
||||
@@ -0,0 +1,38 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="sshd_use_approved_ciphers_ordered_stig" version="1">
|
||||
+ {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
||||
+ <criteria comment="SSH is configured correctly or is not installed"
|
||||
+ operator="OR">
|
||||
+ <criteria comment="sshd is not installed" operator="AND">
|
||||
+ <extend_definition comment="sshd is not required or requirement is unset"
|
||||
+ definition_ref="sshd_not_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server removed"
|
||||
+ definition_ref="package_openssh-server_removed" />
|
||||
+ </criteria>
|
||||
+ <criteria comment="sshd is installed and configured" operator="AND">
|
||||
+ <extend_definition comment="sshd is required or requirement is unset"
|
||||
+ definition_ref="sshd_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server installed"
|
||||
+ definition_ref="package_openssh-server_installed" />
|
||||
+ <criterion comment="Check the Cipers list in /etc/ssh/sshd_config"
|
||||
+ test_ref="test_sshd_use_approved_ciphers_ordered_stig" />
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
+ comment="tests the value of Ciphers setting in the /etc/ssh/sshd_config file"
|
||||
+ id="test_sshd_use_approved_ciphers_ordered_stig" version="1">
|
||||
+ <ind:object object_ref="obj_sshd_use_approved_ciphers_ordered_stig" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers_ordered_stig" version="1">
|
||||
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..0751064179
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
@@ -0,0 +1,64 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel7
|
||||
+
|
||||
+title: 'Use Only FIPS 140-2 Validated Ciphers'
|
||||
+
|
||||
+description: |-
|
||||
+ Limit the ciphers to those algorithms which are FIPS-approved.
|
||||
+ The following line in <tt>/etc/ssh/sshd_config</tt>
|
||||
+ demonstrates use of FIPS-approved ciphers:
|
||||
+ <pre>Ciphers aes256-ctr,aes192-ctr,aes128-ctr</pre>
|
||||
+ This rule ensures that there are configured ciphers mentioned
|
||||
+ above (or their subset), keeping the given order of algorithms.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
|
||||
+ cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
|
||||
+ <br />
|
||||
+ Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
|
||||
+ cryptographic modules.
|
||||
+ <br />
|
||||
+ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
|
||||
+ utilize authentication that meets industry and government requirements. For government systems, this allows
|
||||
+ Security Levels 1, 2, 3, or 4 for use on {{{ full_name }}}.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83398-8
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
|
||||
+ srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
+ stigid@rhel7: RHEL-07-040110
|
||||
+
|
||||
+ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Only FIPS ciphers should be used. To verify that only FIPS-approved
|
||||
+ ciphers are in use, run the following command:
|
||||
+ <pre>$ sudo grep Ciphers /etc/ssh/sshd_config</pre>
|
||||
+ The output should contain only following ciphers (or a subset) in the exact order:
|
||||
+ <pre>aes256-ctr,aes192-ctr,aes128-ctr</pre>
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ The system needs to be rebooted for these changes to take effect.
|
||||
+ - regulatory: |-
|
||||
+ System Crypto Modules must be provided by a vendor that undergoes
|
||||
+ FIPS-140 certifications.
|
||||
+ FIPS-140 is applicable to all Federal agencies that use
|
||||
+ cryptographic-based security systems to protect sensitive information
|
||||
+ in computer and telecommunication systems (including voice systems) as
|
||||
+ defined in Section 5131 of the Information Technology Management Reform
|
||||
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
||||
+ designing and implementing cryptographic modules that Federal
|
||||
+ departments and agencies operate or are operated for them under
|
||||
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
|
||||
+ To meet this, the system has to have cryptographic software provided by
|
||||
+ a vendor that has undergone this certification. This means providing
|
||||
+ documentation, test results, design information, and independent third
|
||||
+ party review by an accredited lab. While open source software is
|
||||
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
||||
+ submits to this process.
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..daff7d7c53
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/# ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "# ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b9d22262af
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "Ciphers aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b99d3832cd
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..6dfd54631c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7b38914a1a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..6fdb47093d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/Ciphers /" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'Ciphers ' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..24fdf0f30d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/ Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo " Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 6c06a8ede6..adf86894e1 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -239,8 +239,7 @@ selections:
|
||||
- install_antivirus
|
||||
- accounts_max_concurrent_login_sessions
|
||||
- configure_firewalld_ports
|
||||
- - sshd_approved_ciphers=stig
|
||||
- - sshd_use_approved_ciphers
|
||||
+ - sshd_use_approved_ciphers_ordered_stig
|
||||
- accounts_tmout
|
||||
- sshd_enable_warning_banner
|
||||
- sssd_ldap_start_tls
|
||||
@ -1,386 +0,0 @@
|
||||
From 5f8f98024f8955a0327b67f873923757a51d082c Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:32:07 +0100
|
||||
Subject: [PATCH 1/7] add rule and remediations
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 13 +++++
|
||||
.../bash/shared.sh | 7 +++
|
||||
.../oval/shared.xml | 38 +++++++++++++
|
||||
.../rule.yml | 57 +++++++++++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
5 files changed, 115 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..cefba7db05
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
||||
@@ -0,0 +1,13 @@
|
||||
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: "Configure sshd to use approved MACs"
|
||||
+ lineinfile:
|
||||
+ path: /etc/ssh/sshd_config
|
||||
+ line: 'MACs hmac-sha2-512,hmac-sha2-256'
|
||||
+ state: present
|
||||
+ regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
|
||||
+ create: True
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..c76190fb96
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+
|
||||
+if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
|
||||
+ sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..d7fbd9f0ed
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
@@ -0,0 +1,38 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="sshd_use_approved_macs_ordered_stig" version="1">
|
||||
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
||||
+ <criteria comment="SSH is configured correctly or is not installed"
|
||||
+ operator="OR">
|
||||
+ <criteria comment="sshd is not installed" operator="AND">
|
||||
+ <extend_definition comment="sshd is not required or requirement is unset"
|
||||
+ definition_ref="sshd_not_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server removed"
|
||||
+ definition_ref="package_openssh-server_removed" />
|
||||
+ </criteria>
|
||||
+ <criteria comment="sshd is installed and configured" operator="AND">
|
||||
+ <extend_definition comment="sshd is required or requirement is unset"
|
||||
+ definition_ref="sshd_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server installed"
|
||||
+ definition_ref="package_openssh-server_installed" />
|
||||
+ <criterion comment="Check MACs in /etc/ssh/sshd_config"
|
||||
+ test_ref="test_sshd_use_approved_macs_ordered_stig" />
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
+ comment="tests the value of MACs setting in the /etc/ssh/sshd_config file"
|
||||
+ id="test_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
+ <ind:object object_ref="obj_sshd_use_approved_macs_ordered_stig" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..dc9f7dca7c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
@@ -0,0 +1,57 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel7
|
||||
+
|
||||
+title: 'Use Only FIPS 140-2 Validated MACs'
|
||||
+
|
||||
+description: |-
|
||||
+ Limit the MACs to those hash algorithms which are FIPS-approved.
|
||||
+ The following line in <tt>/etc/ssh/sshd_config</tt>
|
||||
+ demonstrates use of FIPS-approved MACs:
|
||||
+ <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
|
||||
+ This rule ensures that there are configured MACs mentioned
|
||||
+ above (or their subset), keeping the given order of algorithms.
|
||||
+
|
||||
+rationale: |-
|
||||
+ DoD Information Systems are required to use FIPS-approved cryptographic hash
|
||||
+ functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83398-8
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
||||
+ srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
|
||||
+ stigid@rhel7: RHEL-07-040400
|
||||
+
|
||||
+ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Only FIPS-approved MACs should be used. To verify that only FIPS-approved
|
||||
+ MACs are in use, run the following command:
|
||||
+ <pre>$ sudo grep -i macs /etc/ssh/sshd_config</pre>
|
||||
+ The output should contain only following MACs (or a subset) in the exact order:
|
||||
+ <pre>hmac-sha2-512,hmac-sha2-256</pre>
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ The system needs to be rebooted for these changes to take effect.
|
||||
+ - regulatory: |-
|
||||
+ System Crypto Modules must be provided by a vendor that undergoes
|
||||
+ FIPS-140 certifications.
|
||||
+ FIPS-140 is applicable to all Federal agencies that use
|
||||
+ cryptographic-based security systems to protect sensitive information
|
||||
+ in computer and telecommunication systems (including voice systems) as
|
||||
+ defined in Section 5131 of the Information Technology Management Reform
|
||||
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
||||
+ designing and implementing cryptographic modules that Federal
|
||||
+ departments and agencies operate or are operated for them under
|
||||
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
|
||||
+ To meet this, the system has to have cryptographic software provided by
|
||||
+ a vendor that has undergone this certification. This means providing
|
||||
+ documentation, test results, design information, and independent third
|
||||
+ party review by an accredited lab. While open source software is
|
||||
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
||||
+ submits to this process.
|
||||
From 18ea3b8671e15c06a5c1c864d9d1d67f4262189e Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:32:25 +0100
|
||||
Subject: [PATCH 2/7] add tests
|
||||
|
||||
---
|
||||
.../tests/comment.fail.sh | 7 +++++++
|
||||
.../tests/correct_reduced_list.pass.sh | 7 +++++++
|
||||
.../tests/correct_scrambled.fail.sh | 7 +++++++
|
||||
.../tests/correct_value.pass.sh | 7 +++++++
|
||||
.../tests/line_not_there.fail.sh | 3 +++
|
||||
.../tests/no_parameters.fail.sh | 7 +++++++
|
||||
.../tests/wrong_value.fail.sh | 7 +++++++
|
||||
7 files changed, 45 insertions(+)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..26bf18234c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/# MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "# ciphers MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..0d922cdee9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-512/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..ce3f459352
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..19da7102a7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'MACs hmac-sha2-512,hmac-sha2-256' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..fd1f19347a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+sed -i "/^MACs.*/d" /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..44c07c6de0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs /" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'MACs ' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..cf56cd228f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256,blahblah/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-512,hmac-sha2-256,blahblah" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
|
||||
From a334b4b434adf92c94b8bd6bb888751782e70ad3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:32:58 +0100
|
||||
Subject: [PATCH 3/7] modify rhel7 stig profile
|
||||
|
||||
---
|
||||
rhel7/profiles/stig.profile | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 6c06a8ede6..17c781d3eb 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -28,7 +28,6 @@ selections:
|
||||
- inactivity_timeout_value=15_minutes
|
||||
- var_screensaver_lock_delay=5_seconds
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
- - sshd_approved_macs=stig
|
||||
- var_accounts_fail_delay=4
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
@@ -259,7 +258,7 @@ selections:
|
||||
- sshd_print_last_log
|
||||
- sshd_disable_root_login
|
||||
- sshd_allow_only_protocol2
|
||||
- - sshd_use_approved_macs
|
||||
+ - sshd_use_approved_macs_ordered_stig
|
||||
- file_permissions_sshd_pub_key
|
||||
- file_permissions_sshd_private_key
|
||||
- sshd_disable_gssapi_auth
|
||||
|
||||
From df71fc735efa8754a73fab5d355d422c6e0ffa53 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:33:10 +0100
|
||||
Subject: [PATCH 4/7] remove rhel7 stigid from sshd_use_approved_macs
|
||||
|
||||
---
|
||||
.../services/ssh/ssh_server/sshd_use_approved_macs/rule.yml | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
index 394c733f51..d47eb443f5 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
@@ -54,7 +54,6 @@ references:
|
||||
nist-csf: PR.AC-1,PR.AC-3,PR.DS-5,PR.PT-4
|
||||
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
|
||||
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000480-VMM-002000,SRG-OS-000396-VMM-001590
|
||||
- stigid@rhel7: RHEL-07-040400
|
||||
stigid@sle12: SLES-12-030180
|
||||
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.6,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
||||
isa-62443-2009: 4.3.3.5.1,4.3.3.6.6
|
||||
|
||||
From 9c24aaaba67f0123a82335672fd25aacd913caa4 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 11:43:16 +0100
|
||||
Subject: [PATCH 5/7] simplify regex
|
||||
|
||||
---
|
||||
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
index d7fbd9f0ed..5973488661 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
@@ -31,7 +31,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
|
||||
From e3973f4c2988308a2d1a18e67a730a059f791336 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 11:55:19 +0100
|
||||
Subject: [PATCH 6/7] make bash remediation more readable
|
||||
|
||||
---
|
||||
.../sshd_use_approved_macs_ordered_stig/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
index c76190fb96..f8f6f39bee 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
@@ -1,6 +1,6 @@
|
||||
# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
|
||||
-if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
|
||||
+if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then
|
||||
sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
|
||||
else
|
||||
echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
||||
|
||||
From e5c379ac8cbd7bd42b116d3a5473a78406a662fd Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 13:05:18 +0100
|
||||
Subject: [PATCH 7/7] one more small fix to oval regex
|
||||
|
||||
---
|
||||
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
index 5973488661..b5443b07c4 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
@@ -31,7 +31,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
@ -1,30 +0,0 @@
|
||||
From e5399b7bf17d5bdb995851b3d2a27f3ab2e6066a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Mon, 18 Jan 2021 15:21:51 +0100
|
||||
Subject: [PATCH] Supress Ansible lint error 503
|
||||
|
||||
It says that Tasks that run when changed should likely be handlers.
|
||||
However, we don't use handlers, and developer guide says that handlers
|
||||
aren't supported. I assume handlers would cause problems for SCAP
|
||||
scanners. Unless we start to support handlers this error isn't fixable
|
||||
for us therefore we can suppress it globally.
|
||||
|
||||
Addressing problems in scap-security-guide-lint-check Jenkins job:
|
||||
30/48 Test #260: ansible-playbook-ansible-lint-check-rhel8 .........***Failed 630.77 sec
|
||||
all/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
anssi_bp28_enhanced/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
anssi_bp28_high/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
anssi_bp28_intermediary/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
---
|
||||
tests/ansible-lint_config.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tests/ansible-lint_config.yml b/tests/ansible-lint_config.yml
|
||||
index d5107476a9..e4b4443f8c 100644
|
||||
--- a/tests/ansible-lint_config.yml
|
||||
+++ b/tests/ansible-lint_config.yml
|
||||
@@ -3,3 +3,4 @@ skip_list:
|
||||
- '301' # Commands should not change things if nothing needs doing
|
||||
- '303' # Using command rather than module
|
||||
- '403' # Package installs should not use latest
|
||||
+ - '503' # Tasks that run when changed should likely be handlers
|
||||
@ -1,73 +0,0 @@
|
||||
From 35eb6ba272c4ca0b7bae1c10af182e59e3e52c6a Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Fri, 15 Jan 2021 16:28:07 +0100
|
||||
Subject: [PATCH] RHEL-07-040710 now configures X11Forwarding to disable.
|
||||
|
||||
---
|
||||
.../sshd_disable_x11_forwarding/rule.yml | 19 ++++++++++---------
|
||||
.../sshd_enable_x11_forwarding/rule.yml | 1 -
|
||||
rhel7/profiles/stig.profile | 2 +-
|
||||
3 files changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
index 1779129f87..7da2e067a6 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
@@ -19,22 +19,23 @@ rationale: |-
|
||||
other users on the X11 server. Note that even if X11 forwarding is disabled,
|
||||
users can always install their own forwarders.
|
||||
|
||||
-severity: low
|
||||
+severity: medium
|
||||
|
||||
-ocil_clause: "that the X11Forwarding option exists and is enabled"
|
||||
-
|
||||
-ocil: |-
|
||||
- {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}
|
||||
+{{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}}
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-83359-0
|
||||
cce@rhel8: CCE-83360-8
|
||||
|
||||
references:
|
||||
- cis@rhel7: 5.2.4
|
||||
- cis@rhel8: 5.2.6
|
||||
- cis@sle12: 5.2.4
|
||||
- cis@sle15: 5.2.6
|
||||
+ cis@rhel7: 5.2.4
|
||||
+ cis@rhel8: 5.2.6
|
||||
+ cis@sle12: 5.2.4
|
||||
+ cis@sle15: 5.2.6
|
||||
+ stigid@rhel7: RHEL-07-040710
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6(b)
|
||||
|
||||
template:
|
||||
name: sshd_lineinfile
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
index 803e581a0f..87c3cb7f5a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
@@ -29,7 +29,6 @@ references:
|
||||
nist: CM-6(a),AC-17(a),AC-17(2)
|
||||
nist-csf: DE.AE-1,PR.DS-7,PR.IP-1
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
- stigid@rhel7: RHEL-07-040710
|
||||
stigid@sle12: SLES-12-030260
|
||||
isa-62443-2013: 'SR 7.6'
|
||||
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 817e0982e5..6c06a8ede6 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -285,7 +285,7 @@ selections:
|
||||
- postfix_prevent_unrestricted_relay
|
||||
- package_vsftpd_removed
|
||||
- package_tftp-server_removed
|
||||
- - sshd_enable_x11_forwarding
|
||||
+ - sshd_disable_x11_forwarding
|
||||
- sshd_x11_use_localhost
|
||||
- tftpd_uses_secure_mode
|
||||
- package_xorg-x11-server-common_removed
|
||||
@ -1,688 +0,0 @@
|
||||
From e3dd773f905114c1d16ac3283611218a685f1722 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Feb 2021 09:17:15 +0100
|
||||
Subject: [PATCH 1/5] Remove extends key from ANSSI intermediary profile
|
||||
|
||||
This is not necessary as the ANSSI controls file handles this.
|
||||
---
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 64a9b542a0..4d0029af1d 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -7,7 +7,6 @@ description:
|
||||
Agence nationale de la sécurité des systèmes d''information. Based on
|
||||
https://www.ssi.gouv.fr/.
|
||||
|
||||
-extends: anssi_bp28_minimal
|
||||
|
||||
selections:
|
||||
- anssi:all:intermediary
|
||||
|
||||
From 48845dbde69e69a043fc90622f21dc73d6a72018 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Feb 2021 09:21:47 +0100
|
||||
Subject: [PATCH 2/5] Update title and descriptions of ANSSI profiles
|
||||
|
||||
---
|
||||
controls/anssi.yml | 2 +-
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 12 +++++++++---
|
||||
rhel7/profiles/anssi_nt28_high.profile | 12 +++++++++---
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 14 ++++++++++----
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 14 ++++++++++----
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 12 ++++++++----
|
||||
rhel8/profiles/anssi_bp28_high.profile | 14 +++++++++-----
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 11 +++++++----
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 12 ++++++++----
|
||||
9 files changed, 71 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 2173d23f9d..54c05245b7 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -1,5 +1,5 @@
|
||||
policy: 'ANSSI-BP-028'
|
||||
-title: 'ANSSI-BP-028'
|
||||
+title: 'Configuration Recommendations of a GNU/Linux System'
|
||||
id: anssi
|
||||
version: '1.2'
|
||||
source: https://www.ssi.gouv.fr/uploads/2019/03/linux_configuration-en-v1.2.pdf
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 5893d12dbd..49fa8593fe 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -1,9 +1,15 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (enhanced)'
|
||||
+title: 'ANSSI BP-028 (enhanced)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the enhanced level. ANSSI stands for Agence nationale de la sécurité des
|
||||
- systèmes d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:enhanced
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index 52ae1dd6d2..2853f20607 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -1,9 +1,15 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (high)'
|
||||
+title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the high level. ANSSI stands for Agence nationale de la sécurité des systèmes
|
||||
- d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index e18225247b..55f985a7a9 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -1,10 +1,16 @@
|
||||
# Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (intermediary)'
|
||||
+title: 'ANSSI BP-028 (intermediary)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the intermediary level. ANSSI stands for Agence nationale de la sécurité
|
||||
- des systèmes d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- - anssi:all:intermediary
|
||||
+ - anssi:all:intermediary
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index 214f37d14b..7786a26b45 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -1,9 +1,15 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (minimal)'
|
||||
+title: 'ANSSI BP-028 (minimal)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des
|
||||
- systèmes d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- - anssi:all:minimal
|
||||
+ - anssi:all:minimal
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 4c39852b65..49fa8593fe 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -2,10 +2,14 @@ documentation_complete: true
|
||||
|
||||
title: 'ANSSI BP-028 (enhanced)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the enhanced level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d'information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:enhanced
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index 6b0489e0f1..2853f20607 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,11 +1,15 @@
|
||||
documentation_complete: false
|
||||
|
||||
-title: 'ANSSI BP-028 (high)'
|
||||
+title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the high level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d'information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 4d0029af1d..50ab1ba0b8 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -2,11 +2,14 @@ documentation_complete: true
|
||||
|
||||
title: 'ANSSI BP-028 (intermediary)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the intermediary level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d''information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:intermediary
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index d8f076c3e7..d477d34787 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -2,10 +2,14 @@ documentation_complete: true
|
||||
|
||||
title: 'ANSSI BP-028 (minimal)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the minimal level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d'information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:minimal
|
||||
|
||||
From 5ea9fe70c78df6c4278aec71b9ab000a9884cea7 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Feb 2021 12:23:14 +0100
|
||||
Subject: [PATCH 3/5] Add missing hyphen in ANSSI profiles descriptions
|
||||
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 8 ++++----
|
||||
rhel7/profiles/anssi_nt28_high.profile | 8 ++++----
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 8 ++++----
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_high.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 8 ++++----
|
||||
8 files changed, 32 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 49fa8593fe..411f0c03aa 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (enhanced)'
|
||||
+title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index 2853f20607..d9147b2dd0 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
+title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index 55f985a7a9..6e39a978e5 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -1,15 +1,15 @@
|
||||
# Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (intermediary)'
|
||||
+title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index 7786a26b45..f0a77bccd7 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (minimal)'
|
||||
+title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 49fa8593fe..411f0c03aa 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (enhanced)'
|
||||
+title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index 2853f20607..d9147b2dd0 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: false
|
||||
|
||||
-title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
+title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 50ab1ba0b8..6dcd2b8ef2 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (intermediary)'
|
||||
+title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index d477d34787..54e8cbd5a6 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (minimal)'
|
||||
+title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
|
||||
From c111061d6f1b9c134cc4cff1b712c44f271bcf42 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 5 Feb 2021 11:11:57 +0100
|
||||
Subject: [PATCH 4/5] Fix ANSSI document number for consistency
|
||||
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_high.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 2 +-
|
||||
8 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 411f0c03aa..846ace9002 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index d9147b2dd0..e4db830291 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index 6e39a978e5..4454976862 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -4,7 +4,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index f0a77bccd7..cc2cbd8359 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 411f0c03aa..846ace9002 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index d9147b2dd0..e4db830291 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: false
|
||||
title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 6dcd2b8ef2..a9e0442257 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index 54e8cbd5a6..090b571bb6 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
From c4b11df5dabe389129f3cbc8a5bd9444fce09850 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 5 Feb 2021 16:05:07 +0100
|
||||
Subject: [PATCH 5/5] Fix single quote in ANSSI name
|
||||
|
||||
Previously the description was enclosed in single quotes, requiring a
|
||||
single quote to be escaped.
|
||||
Now the description is not enclosed in single quotes and there is no
|
||||
need to escape it.
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_high.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 2 +-
|
||||
8 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 846ace9002..bbc11353f3 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index e4db830291..22efad9c09 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index 4454976862..0c43ab8d73 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -6,7 +6,7 @@ title: 'ANSSI-BP-028 (intermediary)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index cc2cbd8359..480333747c 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 846ace9002..bbc11353f3 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index e4db830291..22efad9c09 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index a9e0442257..a592031673 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (intermediary)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index 090b571bb6..cef8394114 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
@ -1,89 +0,0 @@
|
||||
From ce6a307518c55b333897f5c130f5372dee9eeae8 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 18 Jan 2021 11:18:43 +0100
|
||||
Subject: [PATCH] Update metadata for a few miminal and intermediary
|
||||
requirements
|
||||
|
||||
---
|
||||
controls/anssi.yml | 20 +++++++++++++++++---
|
||||
1 file changed, 17 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index dec9d68c99..9288ac1663 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -506,7 +506,10 @@ controls:
|
||||
- id: R27
|
||||
title: Disabling service accounts
|
||||
level: intermediary
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ It is difficult to generally identify the system's service accounts.
|
||||
+ Assisting rules could list users which are not disabled for manual review.
|
||||
+ automated: no
|
||||
|
||||
- id: R28
|
||||
level: enhanced
|
||||
@@ -530,7 +533,10 @@ controls:
|
||||
- id: R30
|
||||
level: minimal
|
||||
title: Applications using PAM
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Manual review is necessary to decide if the list of applications using PAM is minimal.
|
||||
+ Asssising rules could be created to list all applications using PAM for manual review.
|
||||
+ automated: no
|
||||
|
||||
- id: R31
|
||||
title: Securing PAM Authentication Network Services
|
||||
@@ -580,6 +586,7 @@ controls:
|
||||
- id: R36
|
||||
title: Rights to access sensitive content files
|
||||
level: intermediary
|
||||
+ automated: yes
|
||||
rules:
|
||||
- file_owner_etc_shadow
|
||||
- file_permissions_etc_shadow
|
||||
@@ -637,7 +644,10 @@ controls:
|
||||
- id: R42
|
||||
level: minimal
|
||||
title: In memory services and daemons
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Manual review is necessary to decide if the list of resident daemons is minimal.
|
||||
+ Asssising rules could be created to list sevices listening on the network for manual review.
|
||||
+ automated: no
|
||||
|
||||
- id: R43
|
||||
title: Hardening and configuring the syslog
|
||||
@@ -709,6 +719,7 @@ controls:
|
||||
- id: R48
|
||||
level: intermediary
|
||||
title: Configuring the local messaging service
|
||||
+ automated: yes
|
||||
rules:
|
||||
- postfix_network_listening_disabled
|
||||
|
||||
@@ -825,6 +836,7 @@ controls:
|
||||
level: intermediary
|
||||
title: Privileges of target sudo users
|
||||
description: The targeted users of a rule should be, as much as possible, non privileged users.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sudoers_no_root_target
|
||||
|
||||
@@ -840,12 +852,14 @@ controls:
|
||||
level: intermediary
|
||||
title: Good use of negation in a sudoers file
|
||||
description: The sudoers configuration rules should not involve negation.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sudoers_no_command_negation
|
||||
|
||||
- id: R63
|
||||
level: intermediary
|
||||
title: Explicit arguments in sudo specifications
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sudoers_explicit_command_args
|
||||
|
||||
@ -1,352 +0,0 @@
|
||||
From cbede36c7a4e35cb882c35892cff72f9f190cbf9 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Mon, 8 Feb 2021 15:57:43 +0100
|
||||
Subject: [PATCH 1/5] Add nodev,nosuid,noexec options to /boot in ANSSI
|
||||
kickstart
|
||||
|
||||
---
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 2 +-
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +-
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 2 +-
|
||||
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
index 1d35bedb91..c381512476 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
@@ -99,7 +99,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
index 73225c2fab..a672b38b83 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
@@ -103,7 +103,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
index 20c4c59a78..88a7cee8ab 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
@@ -99,7 +99,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
index 728946ecb7..6f66a3774b 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
@@ -90,7 +90,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
index cd0eff2625..b5c09253a5 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
@@ -94,7 +94,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
index 3a241b06f4..fb785e0c11 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
@@ -90,7 +90,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
|
||||
From 15be64cc2d6c21b0351bb8d3d1b55b1924be99ca Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Tue, 9 Feb 2021 12:45:34 +0100
|
||||
Subject: [PATCH 2/5] Add mount_option_nodev_nonroot_local_partitions bash
|
||||
remediation
|
||||
|
||||
---
|
||||
.../bash/shared.sh | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7e2b3bd76b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
||||
@@ -0,0 +1,18 @@
|
||||
+# platform = multi_platform_all
|
||||
+. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
+include_mount_options_functions
|
||||
+
|
||||
+MOUNT_OPTION="nodev"
|
||||
+# Create array of local non-root partitions
|
||||
+readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep "\s/dev/\w")
|
||||
+
|
||||
+for partition_record in "${partitions_records[@]}"; do
|
||||
+ # Get all important information for fstab
|
||||
+ mount_point="$(echo ${partition_record} | cut -d " " -f1)"
|
||||
+ device="$(echo ${partition_record} | cut -d " " -f2)"
|
||||
+ device_type="$(echo ${partition_record} | cut -d " " -f3)"
|
||||
+ # device and device_type will be used only in case when the device doesn't have fstab record
|
||||
+ ensure_mount_option_in_fstab "$mount_point" "$MOUNT_OPTION" "$device" "$device_type"
|
||||
+ ensure_partition_is_mounted "$mount_point"
|
||||
+done
|
||||
|
||||
From 36958b72896a69cb580f00a986673c8ae99cb011 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Tue, 9 Feb 2021 12:45:54 +0100
|
||||
Subject: [PATCH 3/5] Add mount_option_nodev_nonroot_local_partitions test
|
||||
scenarios
|
||||
|
||||
---
|
||||
.../tests/correct.pass.sh | 23 +++++++++++++++++
|
||||
.../local_mounted_during_runtime.fail.sh | 19 ++++++++++++++
|
||||
.../tests/missing_multiple_nodev.fail.sh | 23 +++++++++++++++++
|
||||
.../tests/missing_one_nodev.fail.sh | 23 +++++++++++++++++
|
||||
.../tests/remote_without_nodev.pass.sh | 25 +++++++++++++++++++
|
||||
5 files changed, 113 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..8bfac4b80f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
||||
@@ -0,0 +1,23 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
|
||||
+mount_partition "/tmp/partition1"
|
||||
+
|
||||
+PARTITION="/dev/new_partition2"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition2" ext2 nodev
|
||||
+mount_partition "/tmp/partition2"
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..84cadd6f73
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
||||
@@ -0,0 +1,19 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+mkdir /tmp/test_dir
|
||||
+mount $PARTITION /tmp/test_dir
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7a09093f46
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
||||
@@ -0,0 +1,23 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition1" ext2
|
||||
+mount_partition "/tmp/partition1"
|
||||
+
|
||||
+PARTITION="/dev/new_partition2"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition2" ext2
|
||||
+mount_partition "/tmp/partition2"
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..c20a98bdcc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
||||
@@ -0,0 +1,23 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
|
||||
+mount_partition "/tmp/partition1"
|
||||
+
|
||||
+PARTITION="/dev/new_partition2"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition2" ext2
|
||||
+mount_partition "/tmp/partition2"
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a95410526f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
||||
@@ -0,0 +1,25 @@
|
||||
+#!/bin/bash
|
||||
+# packages = nfs-utils
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+mkdir /tmp/testdir
|
||||
+mkdir /tmp/testmount
|
||||
+chown 2 /tmp/testdir
|
||||
+chmod 777 /tmp/testdir
|
||||
+
|
||||
+echo '/tmp/testdir localhost(rw)' > /etc/exports
|
||||
+systemctl restart nfs-server
|
||||
+mount.nfs localhost:/tmp/testdir /tmp/testmount
|
||||
|
||||
From b7bec83d7a3ad186413777f70fe2b5d20e01e56b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Feb 2021 18:32:26 +0100
|
||||
Subject: [PATCH 4/5] Add Ansible for
|
||||
mount_option_nodev_nonroot_local_partitions
|
||||
|
||||
The remediation metadata were inspired by the template mount_options
|
||||
---
|
||||
.../ansible/shared.yml | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..8530604308
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
@@ -0,0 +1,18 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = high
|
||||
+
|
||||
+- name: Ensure non-root local partitions are mounted with nodev option
|
||||
+ mount:
|
||||
+ path: "{{ item.mount }}"
|
||||
+ src: "{{ item.device}}"
|
||||
+ opts: "{{ item.options }},nodev"
|
||||
+ state: "mounted"
|
||||
+ fstype: "{{ item.fstype }}"
|
||||
+ when:
|
||||
+ - "item.mount is match('/\\w')"
|
||||
+ - "item.options is not search('nodev')"
|
||||
+ with_items:
|
||||
+ - "{{ ansible_facts.mounts }}"
|
||||
|
||||
From dab22894ca0798dde27c77704a7fd34d62d77f8f Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Feb 2021 20:29:32 +0100
|
||||
Subject: [PATCH 5/5] Add space before and after variable
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
index 8530604308..2aa9a53e4d 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
- name: Ensure non-root local partitions are mounted with nodev option
|
||||
mount:
|
||||
path: "{{ item.mount }}"
|
||||
- src: "{{ item.device}}"
|
||||
+ src: "{{ item.device }}"
|
||||
opts: "{{ item.options }},nodev"
|
||||
state: "mounted"
|
||||
fstype: "{{ item.fstype }}"
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,53 +1,32 @@
|
||||
# Base name of static rhel6 content tarball
|
||||
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
|
||||
# Base name of static rhel7 content tarball
|
||||
%global _static_rhel7_content %{name}-0.1.73-1.el7_9-rhel7
|
||||
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.54
|
||||
Release: 5%{?dist}
|
||||
Version: 0.1.77
|
||||
Release: 1%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
Group: Applications/System
|
||||
License: BSD
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Include tarball with last released rhel6 content
|
||||
Source1: %{_static_rhel6_content}.tar.bz2
|
||||
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
Patch1: scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff
|
||||
Patch2: scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch
|
||||
Patch3: scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch
|
||||
Patch4: scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch
|
||||
Patch5: scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch
|
||||
Patch6: scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch
|
||||
Patch7: scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch
|
||||
Patch8: scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch
|
||||
Patch9: scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch
|
||||
Patch10: scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch
|
||||
Patch11: scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch
|
||||
Patch12: scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch
|
||||
Patch13: scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch
|
||||
Patch14: scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch
|
||||
Patch15: scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch
|
||||
Patch16: scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch
|
||||
Patch17: scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch
|
||||
Patch18: scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch
|
||||
Patch19: scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch
|
||||
Patch20: scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch
|
||||
Patch21: scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch
|
||||
Patch22: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r1_update-PR_6538.patch
|
||||
Patch23: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r2_update-PR_6607.patch
|
||||
Patch24: scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch
|
||||
Patch25: scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch
|
||||
Patch26: scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch
|
||||
Patch27: scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch
|
||||
# Untill ANSSI High profile is shipped we drop the ks too
|
||||
Patch28: remove-ANSSI-high-ks.patch
|
||||
# Include tarball with last released rhel7 content
|
||||
Source2: %{_static_rhel7_content}.tar.bz2
|
||||
Patch0: fix_scap_delta_tailoring.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
||||
BuildRequires: /usr/bin/python3
|
||||
BuildRequires: libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: openscap-scanner >= 1.2.5
|
||||
BuildRequires: cmake >= 2.8
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: python%{python3_pkgversion}
|
||||
BuildRequires: python%{python3_pkgversion}-jinja2
|
||||
BuildRequires: python%{python3_pkgversion}-PyYAML
|
||||
Requires: xml-common, openscap-scanner >= 1.2.5
|
||||
Obsoletes: openscap-content < 0:0.9.13
|
||||
Provides: openscap-content
|
||||
@ -58,11 +37,11 @@ system from the final system's security point of view. The guidance is specified
|
||||
in the Security Content Automation Protocol (SCAP) format and constitutes
|
||||
a catalog of practical hardening advice, linked to government requirements
|
||||
where applicable. The project bridges the gap between generalized policy
|
||||
requirements and specific implementation guidelines. The Red Hat Enterprise
|
||||
Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
|
||||
package, or the scap-workbench GUI tool from scap-workbench package to verify
|
||||
that the system conforms to provided guideline. Refer to scap-security-guide(8)
|
||||
manual page for further information.
|
||||
requirements and specific implementation guidelines. The system
|
||||
administrator can use the oscap CLI tool from openscap-scanner package, or the
|
||||
scap-workbench GUI tool from scap-workbench package to verify that the system
|
||||
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
|
||||
further information.
|
||||
|
||||
%package doc
|
||||
Summary: HTML formatted security guides generated from XCCDF benchmarks
|
||||
@ -74,75 +53,271 @@ The %{name}-doc package contains HTML formatted documents containing
|
||||
hardening guidances that have been generated from XCCDF benchmarks
|
||||
present in %{name} package.
|
||||
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%package rule-playbooks
|
||||
Summary: Ansible playbooks per each rule.
|
||||
Group: System Environment/Base
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description rule-playbooks
|
||||
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup -q -b 1
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28 -p1
|
||||
mkdir build
|
||||
%setup -q -b1 -b2
|
||||
%patch -P 0 -p1
|
||||
|
||||
%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_PRODUCT_FIREFOX:BOOLEAN=true -DSSG_PRODUCT_JRE:BOOLEAN=TRUE
|
||||
%define cmake_defines_specific %{nil}
|
||||
%if 0%{?rhel}
|
||||
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
|
||||
%endif
|
||||
%if 0%{?centos}
|
||||
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
|
||||
%endif
|
||||
|
||||
%build
|
||||
cd build
|
||||
%cmake \
|
||||
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
|
||||
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
|
||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
|
||||
%make_build
|
||||
mkdir -p %{_vpath_builddir}
|
||||
cd %{_vpath_builddir}
|
||||
%cmake -S .. %{cmake_defines_common} %{cmake_defines_specific}
|
||||
%cmake_build
|
||||
|
||||
%install
|
||||
cd build
|
||||
%make_install
|
||||
cd %{_vpath_builddir}
|
||||
%cmake_install
|
||||
|
||||
# Manually install pre-built rhel6 content
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
|
||||
|
||||
# Manually install pre-built rhel7 content
|
||||
cp -r %{_builddir}/%{_static_rhel7_content}/usr %{buildroot}
|
||||
cp -r %{_builddir}/%{_static_rhel7_content}/tables %{buildroot}%{_docdir}/%{name}
|
||||
cp -r %{_builddir}/%{_static_rhel7_content}/guides %{buildroot}%{_docdir}/%{name}
|
||||
|
||||
# create symlinks for ssg-<product>-ds-1.2.xml to ssg-<product>-ds.xml
|
||||
# this is for backward compatibility
|
||||
ln -s ssg-rhel8-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml
|
||||
ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefox-ds-1.2.xml
|
||||
|
||||
%files
|
||||
%{_datadir}/xml/scap/ssg/content
|
||||
%{_datadir}/%{name}/kickstart
|
||||
%{_datadir}/%{name}/ansible
|
||||
%{_datadir}/%{name}/bash
|
||||
%{_datadir}/%{name}/tailoring
|
||||
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
|
||||
%doc %{_docdir}/%{name}/LICENSE
|
||||
%doc %{_docdir}/%{name}/README.md
|
||||
%doc %{_docdir}/%{name}/Contributors.md
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%files doc
|
||||
%doc %{_docdir}/%{name}/guides/*.html
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%files rule-playbooks
|
||||
%defattr(-,root,root,-)
|
||||
%{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jun 03 2025 Matthew Burket <mburket@redhat.com> - 0.1.77-1
|
||||
- Rebase scap-security-guide to the latest upstream version 0.1.76 (RHEL-94802)
|
||||
- STIG: do not remediate rule disabling user namespaces (RHEL-76750)
|
||||
|
||||
* Tue Feb 25 2025 Vojtech Polasek <vpolasek@redhat.com> - 0.1.76-1
|
||||
- rebase scap-security-guide to the latest upstream version 0.1.76 (RHEL-74241)
|
||||
|
||||
* Fri Nov 15 2024 Matthew Burket <mburket@redhat.com> - 0.1.75-1
|
||||
- Rebase scap-security-guide to the latest upstream version (RHEL-66153)
|
||||
- detection of Grub2 kernel command line arguments has been enhanced to cover more use cases (RHEL-53365)
|
||||
|
||||
* Mon Aug 19 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-3
|
||||
- fix build
|
||||
- keep firefox and rhel8 ds-1.2 files in the package in form of symbolic links to regular ds files
|
||||
|
||||
* Fri Aug 16 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-2
|
||||
- include RHEL 7 artifacts from the last RHEL 7 build
|
||||
|
||||
* Fri Aug 09 2024 Matthew Burket <mburket@redhat.com> - 0.1.74-1
|
||||
- Rebase to a new upstream release 0.1.74 (RHEL-53913)
|
||||
- Improve Rsyslog rules to support RainerScript syntax (RHEL-1816)
|
||||
- Update password hashing settings for ANSSI-BP-028 (RHEL-54390)
|
||||
|
||||
* Wed Aug 07 2024 Milan Lysonek <mlysonek@redhat.com> - 0.1.73-2
|
||||
- Switch gating to tmt plan (RHEL-43242)
|
||||
|
||||
* Tue May 21 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1
|
||||
- Rebase scap-security-guide package to version 0.1.73 (RHEL-36733)
|
||||
- Change crypto policy used in the CUI profile to FIPS (RHEL-30346)
|
||||
- Fix file path identification in Rsyslog configuration (RHEL-17202)
|
||||
- Use a correct chrony server address in STIG profile (RHEL-1814)
|
||||
- Don't BuildRequire /usr/bin/python3 (RHEL-2244)
|
||||
|
||||
* Fri Feb 16 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-2
|
||||
- Unlist profiles no longer maintained in RHEL8.
|
||||
|
||||
* Wed Feb 14 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
|
||||
- Rebase to a new upstream release 0.1.72 (RHEL-25250)
|
||||
- Increase CIS standards coverage regarding SSH and cron (RHEL-1314)
|
||||
- Increase compatibility of accounts_tmout rule for ksh (RHEL-16896 and RHEL-1811)
|
||||
- Align Ansible and Bash remediation in sssd_certificate_verification rule (RHEL-1313)
|
||||
- Add a warning to rule service_rngd_enabled about rule applicability (RHEL-1819)
|
||||
- Add rule to terminate idle user sessions after defined time (RHEL-1801)
|
||||
- Allow spaces around equal sign in /etc/sudoers (RHEL-1904)
|
||||
- Add remediation for rule fapolicy_default_deny (RHEL-1817)
|
||||
- Fix invalid syntax in file /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml (RHEL-19127)
|
||||
- Refactor ensure_pam_wheel_group_empty (RHEL-1905)
|
||||
- Prevent remediation of display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
|
||||
- Update PCI-DSS to v4 (RHEL-1808)
|
||||
- Fix regex in Ansible remediation of configure_ssh_crypto_policy (RHEL-1820)
|
||||
|
||||
* Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2
|
||||
- remove problematic rule from ANSSI High profile (RHBZ#2221695)
|
||||
|
||||
* Thu Aug 10 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
|
||||
- Rebase to a new upstream release 0.1.69 (RHBZ#2221695)
|
||||
- Fixed CCE link URL (RHBZ#2178516)
|
||||
- align remediations with rule description for rule configuring OpenSSL cryptopolicy (RHBZ#2192893)
|
||||
- Add rule audit_rules_login_events_faillock to STIG profile (RHBZ#2167999)
|
||||
- Fixed rules related to AIDE configuration (RHBZ#2175684)
|
||||
- Allow default permissions for files stored on EFI FAT partitions (RHBZ#2184487)
|
||||
- Add appropriate STIGID to accounts_passwords_pam_faillock_interval rule (RHBZ#2209073)
|
||||
- improved and unified OVAL checks checking for interactive users (RHBZ#2157877)
|
||||
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155789)
|
||||
- unify OVAL checks to correctly identify interactive users (RHBZ#2178740)
|
||||
- make rule checking for Postfix unrestricted relay accept more variants of valid configuration syntax (RHBZ#2170530)
|
||||
- Fixed excess quotes in journald configuration files (RHBZ#2169857)
|
||||
- rules related to polyinstantiated directories are not applied when building images for Image Builder (RHBZ#2130182)
|
||||
- evaluation and remediation of rules related to mount points have been enhanced for Image Builder (RHBZ#2130185)
|
||||
- do not enable FIPS mode when creating hardened images for Image Builder (RHBZ#2130181)
|
||||
- Correct URL used to download CVE checks (RHBZ#2222583)
|
||||
- mention exact required configuration value in description of some PAM related rules (RHBZ#2175882)
|
||||
- make mount point related rules not applicable when no such mount points exist (RHBZ#2176008)
|
||||
- improve checks determining if FIPS mode is enabled (RHBZ#2129100)
|
||||
|
||||
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2
|
||||
- Unselect rule logind_session_timeout (RHBZ#2158404)
|
||||
|
||||
* Mon Feb 06 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
|
||||
- Rebase to a new upstream release 0.1.66 (RHBZ#2158404)
|
||||
- Update RHEL8 STIG profile to V1R9 (RHBZ#2152658)
|
||||
- Fix levels of CIS rules (RHBZ#2162803)
|
||||
- Remove unused RHEL8 STIG control file (RHBZ#2156192)
|
||||
- Fix accounts_password_pam_unix_remember's check and remediations (RHBZ#2153547)
|
||||
- Fix handling of space in sudo_require_reauthentication (RHBZ#2152208)
|
||||
- Add rule for audit immutable login uids (RHBZ#2151553)
|
||||
- Fix remediation of audit watch rules (RHBZ#2119356)
|
||||
- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2115343)
|
||||
- Fix applicability of kerberos rules (RHBZ#2099394)
|
||||
- Add support rainer scripts in rsyslog rules (RHBZ#2072444)
|
||||
|
||||
* Tue Jan 10 2023 Watson Sato <wsato@redhat.com> - 0.1.63-5
|
||||
- Update RHEL8 STIG profile to V1R8 (RHBZ#2148446)
|
||||
- Add rule warning for sysctl IPv4 forwarding config (RHBZ#2118758)
|
||||
- Fix remediation for firewalld_sshd_port_enabled (RHBZ#2116474)
|
||||
- Fix compatibility with Ansible 2.14
|
||||
|
||||
* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
|
||||
- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
|
||||
|
||||
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
|
||||
- Fix Ansible partition conditional (RHBZ#2032403)
|
||||
|
||||
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
|
||||
- aligning with the latest STIG update (RHBZ#2112937)
|
||||
- OSPP: use Authselect minimal profile (RHBZ#2117192)
|
||||
- OSPP: change rules for protecting of boot (RHBZ#2116440)
|
||||
- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
|
||||
- fix handling of Defaults clause in sudoers (RHBZ#2083109)
|
||||
- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
|
||||
- fix handling of Rsyslog include directives (RHBZ#2075384)
|
||||
|
||||
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
|
||||
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
|
||||
|
||||
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
|
||||
- Rebase to a new upstream release (RHBZ#2070564)
|
||||
|
||||
* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
|
||||
- Fix validation of OVAL 5.10 content (RHBZ#2079241)
|
||||
- Fix Ansible sysctl remediation (RHBZ#2079241)
|
||||
|
||||
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
|
||||
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
|
||||
- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
|
||||
|
||||
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
|
||||
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
|
||||
|
||||
* Wed Feb 23 2022 Matthew Burket <mburket@redhat.com> - 0.1.60-6
|
||||
- Fix another issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
|
||||
|
||||
* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
|
||||
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2055860)
|
||||
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
|
||||
- Update rule enable_fips_mode to check only for technical state (RHBZ#2014485)
|
||||
|
||||
* Wed Feb 16 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
|
||||
- Fix Ansible service disabled tasks (RHBZ#2014485)
|
||||
- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149)
|
||||
|
||||
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
|
||||
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2049555)
|
||||
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2049555)
|
||||
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2026301)
|
||||
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2030966)
|
||||
- Update GRUB2 rule descriptions (RHBZ#2014485)
|
||||
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014485)
|
||||
|
||||
* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
|
||||
- Update RHEL8 STIG profile to V1R5 (RHBZ#2049555)
|
||||
- Align audit rules for OSPP profile (RHBZ#2000264)
|
||||
- Fix rule selection in ANSSI Enhanced profile (RHBZ#2053587)
|
||||
|
||||
* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
|
||||
- Rebase to a new upstream release (RHBZ#2014485)
|
||||
|
||||
* Wed Dec 01 2021 Watson Sato <wsato@redhat.com> - 0.1.59-1
|
||||
- Rebase to a new upstream release (RHBZ#2014485)
|
||||
|
||||
* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
|
||||
- Rebase to a new upstream release. (RHBZ#2014485)
|
||||
- Add a VM wait handling to fix issues with tests.
|
||||
|
||||
* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
|
||||
- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)
|
||||
|
||||
* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
|
||||
- Fix remaining audit rules file permissions (RHBZ#1993056)
|
||||
- Mark a STIG service rule as machine only (RHBZ#1993056)
|
||||
- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)
|
||||
|
||||
* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
|
||||
- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
|
||||
- Include tests for Ansible Playbooks that remove and reintroduce files.
|
||||
- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056)
|
||||
- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
|
||||
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
|
||||
- Add Kickstart files for ISM profile (RHBZ#1955373)
|
||||
- Fix broken RHEL7 documentation links (RHBZ#1966577)
|
||||
|
||||
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
|
||||
- Update to the latest upstream release (RHBZ#1966577)
|
||||
- Enable the ISM profile.
|
||||
|
||||
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
|
||||
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
|
||||
|
||||
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
|
||||
- Update to the latest upstream release (RHBZ#1966577)
|
||||
- Add ANSSI High Profile (RHBZ#1955183)
|
||||
|
||||
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
|
||||
- Remove Kickstart for not shipped profile (RHBZ#1778188)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user