From 089c47d6301bb53bb182cbdacf72968979547994 Mon Sep 17 00:00:00 2001 From: Matej Tyc Date: Fri, 30 Jul 2021 16:57:13 +0200 Subject: [PATCH 1/5] Enable more RHEL9 content --- .../ssh/ssh_client/ssh_client_rekey_limit/rule.yml | 3 ++- .../disable_ctrlaltdel_burstaction/bash/shared.sh | 2 +- .../disable_ctrlaltdel_reboot/bash/shared.sh | 4 ---- .../smart_card_login/package_pcsc-lite_installed/rule.yml | 3 ++- .../smart_card_login/service_pcscd_enabled/rule.yml | 3 ++- .../root_logins/use_pam_wheel_for_su/rule.yml | 3 ++- .../user_umask/accounts_umask_etc_csh_cshrc/rule.yml | 3 ++- .../installed_OS_is_FIPS_certified/oval/shared.xml | 1 + .../rule.yml | 3 ++- products/rhel9/profiles/hipaa.profile | 6 +++--- products/rhel9/profiles/ospp.profile | 8 ++++---- products/rhel9/profiles/pci-dss.profile | 4 ++-- shared/references/cce-redhat-avail.txt | 6 ------ 13 files changed, 23 insertions(+), 26 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml index f43f92c2f15..c0fbe2c5e34 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml +++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol8,rhel8,rhcos4 +prodtype: ol8,rhel8,rhel9,rhcos4 title: 'Configure session renegotiation for SSH client' @@ -27,6 +27,7 @@ severity: medium identifiers: cce@rhel8: CCE-82880-6 + cce@rhel9: CCE-87522-9 references: disa: CCI-000068 diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh index 7d4faedfb47..d8063726fb4 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol # Include source function library. . /usr/share/scap-security-guide/remediation_functions diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh index 94767ad5993..4cbf5c84651 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh @@ -1,9 +1,5 @@ # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux {{%- if init_system == "systemd" -%}} -{{% if product in ["rhel7", "rhel8"] %}} -# The process to disable ctrl+alt+del has changed in RHEL7. -# Reference: https://access.redhat.com/solutions/1123873 -{{% endif %}} systemctl disable --now ctrl-alt-del.target systemctl mask --now ctrl-alt-del.target {{%- else -%}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml index 0652fbeadaf..9c6534cf401 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 title: 'Install the pcsc-lite package' @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhel7: CCE-82347-6 cce@rhel8: CCE-80993-9 + cce@rhel9: CCE-86280-5 references: disa: CCI-001954 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml index e14db48c22a..6472ade5791 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 title: 'Enable the pcscd Service' @@ -24,6 +24,7 @@ severity: medium identifiers: cce@rhel7: CCE-80569-7 cce@rhel8: CCE-80881-6 + cce@rhel9: CCE-87907-2 references: disa: CCI-001954 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml index a6862c2af25..984a8cf333e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,ubuntu2004 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004 title: 'Enforce usage of pam_wheel for su authentication' @@ -20,6 +20,7 @@ severity: medium identifiers: cce@rhel7: CCE-85855-5 cce@rhel8: CCE-83318-6 + cce@rhel9: CCE-90085-2 references: cis@rhel7: "5.7" diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml index 1b71c7d3acd..3779b396b4e 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhcos4,rhel7,rhel8,sle15,ubuntu2004 +prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15,ubuntu2004 title: 'Ensure the Default C Shell Umask is Set Correctly' @@ -20,6 +20,7 @@ identifiers: cce@rhcos4: CCE-84261-7 cce@rhel7: CCE-80203-3 cce@rhel8: CCE-81037-4 + cce@rhel9: CCE-87721-7 references: cis-csc: '18' diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml index a65bec7348c..3a4847ff9d8 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml @@ -6,6 +6,7 @@ + diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml index 8b6577226fb..4f49b3b825d 100644 --- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8 +prodtype: rhel8,rhel9 title: 'Install dnf-plugin-subscription-manager Package' @@ -17,6 +17,7 @@ severity: medium identifiers: cce@rhel8: CCE-82315-3 + cce@rhel9: CCE-89879-1 references: ism: 0940,1144,1467,1472,1483,1493,1494,1495 diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile index 1e0ea047b98..797c62708e2 100644 --- a/products/rhel9/profiles/hipaa.profile +++ b/products/rhel9/profiles/hipaa.profile @@ -33,9 +33,9 @@ selections: - require_singleuser_auth - restrict_serial_port_logins - securetty_root_login_console_only - - service_debug-shell_disabled # not supported in RHEL9 ATM - - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM - - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM + - service_debug-shell_disabled + - disable_ctrlaltdel_reboot + - disable_ctrlaltdel_burstaction - dconf_db_up_to_date - dconf_gnome_remote_access_credential_prompt - dconf_gnome_remote_access_encryption diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index 0ae391c60bf..adec0cbd774 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -107,7 +107,7 @@ selections: - var_accounts_user_umask=027 - accounts_umask_etc_profile - accounts_umask_etc_bashrc -# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM + - accounts_umask_etc_csh_cshrc ### Software update - ensure_redhat_gpgkey_installed @@ -177,7 +177,7 @@ selections: - package_aide_installed - package_dnf-automatic_installed - package_subscription-manager_installed -# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM + - package_dnf-plugin-subscription-manager_installed - package_firewalld_installed - package_openscap-scanner_installed - package_policycoreutils_installed @@ -221,7 +221,7 @@ selections: - securetty_root_login_console_only - var_password_pam_unix_remember=5 - accounts_password_pam_unix_remember -# - use_pam_wheel_for_su # not supported in RHEL9 ATM + - use_pam_wheel_for_su ### SELinux Configuration - var_selinux_state=enforcing @@ -422,7 +422,7 @@ selections: - kerberos_disable_no_keytab # set ssh client rekey limit -# - ssh_client_rekey_limit # not supported in RHEL9 ATM + - ssh_client_rekey_limit - var_ssh_client_rekey_limit_size=1G - var_ssh_client_rekey_limit_time=1hour diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile index af347501989..1fe85d39ae0 100644 --- a/products/rhel9/profiles/pci-dss.profile +++ b/products/rhel9/profiles/pci-dss.profile @@ -121,8 +121,8 @@ selections: - var_smartcard_drivers=cac - configure_opensc_card_drivers - force_opensc_card_drivers -# - package_pcsc-lite_installed # not supported in RHEL9 ATM -# - service_pcscd_enabled # not supported in RHEL9 ATM + - package_pcsc-lite_installed + - service_pcscd_enabled - sssd_enable_smartcards - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index aa0b30da834..e78838a45aa 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -396,7 +396,6 @@ CCE-86276-3 CCE-86277-1 CCE-86278-9 CCE-86279-7 -CCE-86280-5 CCE-86281-3 CCE-86282-1 CCE-86283-9 @@ -1618,7 +1617,6 @@ CCE-87518-7 CCE-87519-5 CCE-87520-3 CCE-87521-1 -CCE-87522-9 CCE-87523-7 CCE-87525-2 CCE-87526-0 @@ -1812,7 +1810,6 @@ CCE-87717-5 CCE-87718-3 CCE-87719-1 CCE-87720-9 -CCE-87721-7 CCE-87722-5 CCE-87723-3 CCE-87724-1 @@ -1994,7 +1991,6 @@ CCE-87903-1 CCE-87904-9 CCE-87905-6 CCE-87906-4 -CCE-87907-2 CCE-87908-0 CCE-87909-8 CCE-87910-6 @@ -3932,7 +3928,6 @@ CCE-89874-2 CCE-89875-9 CCE-89877-5 CCE-89878-3 -CCE-89879-1 CCE-89880-9 CCE-89881-7 CCE-89882-5 @@ -4135,7 +4130,6 @@ CCE-90081-1 CCE-90082-9 CCE-90083-7 CCE-90084-5 -CCE-90085-2 CCE-90086-0 CCE-90087-8 CCE-90088-6 From 190cad8bc4ef957583b9e29c1508a1be43660388 Mon Sep 17 00:00:00 2001 From: Matej Tyc Date: Wed, 4 Aug 2021 16:30:45 +0200 Subject: [PATCH 2/5] Fix remediation platforms of RHEL9 rules --- .../configure_bashrc_exec_tmux/bash/shared.sh | 2 +- .../configure_tmux_lock_after_time/bash/shared.sh | 2 +- .../configure_tmux_lock_command/bash/shared.sh | 2 +- .../console_screen_locking/no_tmux_in_shells/bash/shared.sh | 2 +- .../software/integrity/fips/enable_fips_mode/bash/shared.sh | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh index 0c544bfbb82..737d725872d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 +# platform = multi_platform_all if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then cat >> /etc/bashrc <<'EOF' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh index 233047afcbc..947e1dd7ee5 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 +# platform = multi_platform_all tmux_conf="/etc/tmux.conf" diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh index f2430618ab3..0c11c1224e2 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora +# platform = multi_platform_all tmux_conf="/etc/tmux.conf" diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh index 45c43e8d374..60e0a7e34c8 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 +# platform = multi_platform_all if grep -q 'tmux$' /etc/shells ; then sed -i '/tmux$/d' /etc/shells diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh index 87476a7b315..c98847ded72 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4 +# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4 fips-mode-setup --enable From 5b23f796b261325ad27b3c1684d3c9430a42679f Mon Sep 17 00:00:00 2001 From: Matej Tyc Date: Wed, 4 Aug 2021 17:56:57 +0200 Subject: [PATCH 3/5] Update the grub config path RHEL9 and Fedora EFI/legacy grub paths have been unified: https://fedoraproject.org/wiki/Changes/UnifyGrubConfig The location of Ubuntu EFI grub paths has been estimated from https://askubuntu.com/questions/1028742/update-grub-does-not-update-boot-efi-efi-ubuntu-grub-cfg Location of SLE EFI grub paths has been taken from existing rules --- .../grub2_uefi_admin_username/oval/shared.xml | 16 ++++--------- .../uefi/grub2_uefi_admin_username/rule.yml | 2 +- .../uefi/grub2_uefi_password/oval/shared.xml | 24 +++++++------------ .../uefi/grub2_uefi_password/rule.yml | 10 ++++---- .../uefi_no_removeable_media/oval/shared.xml | 16 ++++--------- products/fedora/product.yml | 2 ++ products/rhel7/product.yml | 2 ++ products/rhel8/product.yml | 2 ++ products/rhel9/product.yml | 2 ++ products/sle12/product.yml | 2 ++ products/sle15/product.yml | 1 + products/ubuntu1604/product.yml | 1 + products/ubuntu1804/product.yml | 1 + products/ubuntu2004/product.yml | 1 + ssg/constants.py | 1 + ssg/products.py | 4 ++++ tests/shared/grub2.sh | 10 +++++--- 17 files changed, 50 insertions(+), 47 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml index 8545e8ab2c7..7950c15a848 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml @@ -1,26 +1,20 @@ -{{% if product == "fedora" %}} -{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}} -{{% else %}} -{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}} -{{% endif %}} - {{{ oval_metadata("The grub2 boot loader superuser should have a username that is hard to guess.") }}} - {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}} - + {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}} + - {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}} + {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}} - + - {{{ grub_cfg_prefix + "/grub.cfg" }}} + {{{ grub2_uefi_boot_path + "/grub.cfg" }}} ^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$ 1 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index 8a98cbdc95f..128d7cc1cb8 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -20,7 +20,7 @@ description: |- Once the superuser account has been added, update the grub.cfg file by running: - 
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
+ 
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
rationale: |- Having a non-default grub superuser username makes password-guessing attacks less effective. diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml index 230aab73139..a67c8ad99bb 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml @@ -1,32 +1,26 @@ -{{% if product == "fedora" %}} -{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}} -{{% else %}} -{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}} -{{% endif %}} - {{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}} - {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}} + {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}} - - + + - + - {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}} + {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}} - + - {{{ grub_cfg_prefix }}}/grub.cfg + {{{ grub2_uefi_boot_path }}}/grub.cfg ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$ 1 @@ -35,7 +29,7 @@ - {{{ grub_cfg_prefix }}}/user.cfg + {{{ grub2_uefi_boot_path }}}/user.cfg ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ 1 @@ -44,7 +38,7 @@ - {{{ grub_cfg_prefix }}}/grub.cfg + {{{ grub2_uefi_boot_path }}}/grub.cfg ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index cb0d60c3ddf..cc68441e5ad 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -31,10 +31,8 @@ description: |- grub.cfg file by running: {{% if "ubuntu" in product %}} 
update-grub
- {{% elif product in ["sle12", "sle15"] %}} - 
grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg
{{% else %}} - 
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
+ 
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
{{% endif %}} rationale: |- @@ -91,18 +89,18 @@ ocil: |- To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: {{% if product in ["sle12", "sle15"] %}} - 
sudo cat /boot/efi/EFI/sles/grub.cfg
+ 
sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg
The output should be similar to: 
password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
     916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
     0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
{{% elif "ubuntu" in product %}} - 
grep -i password /boot/grub/grub.cfg
+ 
grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg
The output should contain something similar to: 
password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG
{{% else %}} - 
sudo cat /boot/efi/EFI/redhat/user.cfg
+ 
sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg
The output should be similar to: 
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
index 72872d907e3..89a9fae86ec 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
@@ -1,27 +1,21 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
 
   
     {{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
     
-      
-      {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
+      
+      {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
     
   
 
   
   
   
   
 
   
-    {{{ grub_cfg_prefix + "/grub.cfg" }}}
+    {{{ grub2_uefi_boot_path + "/grub.cfg" }}}
     ^[ \t]*set root=(.+?)[ \t]*(?:$|#)
     1
   
@@ -30,5 +24,5 @@
     ^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$
   
 
-  {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+  {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
 
diff --git a/products/fedora/product.yml b/products/fedora/product.yml
index 0cb53c5331e..ea8e98eea78 100644
--- a/products/fedora/product.yml
+++ b/products/fedora/product.yml
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
 
 init_system: "systemd"
 
+grub2_boot_path: "/boot/grub2"
+
 dconf_gdm_dir: "distro.d"
 
 cpes_root: "../../shared/applicability"
diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
index fb5d17786da..6438797f218 100644
--- a/products/rhel7/product.yml
+++ b/products/rhel7/product.yml
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
 auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
 oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"
 
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
+
 cpes_root: "../../shared/applicability"
 cpes:
   - rhel7:
diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
index 78c987b2457..f6d2102558d 100644
--- a/products/rhel8/product.yml
+++ b/products/rhel8/product.yml
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
 auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
 oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
 
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
+
 cpes_root: "../../shared/applicability"
 cpes:
   - rhel8:
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index 4ceb332adf3..6b5a15d5cee 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
 
 init_system: "systemd"
 
+grub2_boot_path: "/boot/grub2"
+
 dconf_gdm_dir: "distro.d"
 
 # The fingerprints below are retrieved from https://access.redhat.com/security/team/key
diff --git a/products/sle12/product.yml b/products/sle12/product.yml
index d1301a17f91..b9e44e0725c 100644
--- a/products/sle12/product.yml
+++ b/products/sle12/product.yml
@@ -12,6 +12,8 @@ pkg_manager: "zypper"
 pkg_manager_config_file: "/etc/zypp/zypp.conf"
 oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml"
 
+grub2_uefi_boot_path: "/boot/efi/EFI/sles"
+
 cpes_root: "../../shared/applicability"
 cpes:
   - sle12-server:
diff --git a/products/ubuntu1604/product.yml b/products/ubuntu1604/product.yml
index 827a875d493..36ec98397f6 100644
--- a/products/ubuntu1604/product.yml
+++ b/products/ubuntu1604/product.yml
@@ -12,6 +12,7 @@ init_system: "systemd"
 oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml"
 
 grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
 
 cpes_root: "../../shared/applicability"
 cpes:
diff --git a/products/ubuntu1804/product.yml b/products/ubuntu1804/product.yml
index 68922441a2a..f1671b8d7dd 100644
--- a/products/ubuntu1804/product.yml
+++ b/products/ubuntu1804/product.yml
@@ -11,6 +11,7 @@ pkg_manager: "apt_get"
 init_system: "systemd"
 
 grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
 
 cpes_root: "../../shared/applicability"
 cpes:
diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
index 15565b6748f..d75624d70a3 100644
--- a/products/ubuntu2004/product.yml
+++ b/products/ubuntu2004/product.yml
@@ -12,6 +12,7 @@ init_system: "systemd"
 oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml"
 
 grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
 
 cpes_root: "../../shared/applicability"
 cpes:
diff --git a/ssg/constants.py b/ssg/constants.py
index 666d7a4d3c8..f9c978a22a2 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -383,4 +383,5 @@
 # Application constants
 DEFAULT_UID_MIN = 1000
 DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2'
+DEFAULT_GRUB2_UEFI_BOOT_PATH = '/boot/grub2'
 DEFAULT_DCONF_GDM_DIR = 'gdm.d'
diff --git a/ssg/products.py b/ssg/products.py
index 25178b741b2..fb55f5c2f4b 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -9,6 +9,7 @@
 from .constants import (product_directories,
                         DEFAULT_UID_MIN,
                         DEFAULT_GRUB2_BOOT_PATH,
+                        DEFAULT_GRUB2_UEFI_BOOT_PATH,
                         DEFAULT_DCONF_GDM_DIR,
                         PKG_MANAGER_TO_SYSTEM,
                         PKG_MANAGER_TO_CONFIG_FILE,
@@ -48,6 +49,9 @@ def _get_implied_properties(existing_properties):
     if "grub2_boot_path" not in existing_properties:
         result["grub2_boot_path"] = DEFAULT_GRUB2_BOOT_PATH
 
+    if "grub2_uefi_boot_path" not in existing_properties:
+        result["grub2_uefi_boot_path"] = DEFAULT_GRUB2_UEFI_BOOT_PATH
+
     if "dconf_gdm_dir" not in existing_properties:
         result["dconf_gdm_dir"] = DEFAULT_DCONF_GDM_DIR
 
diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
index bce7683a7c1..f024b3766cf 100644
--- a/tests/shared/grub2.sh
+++ b/tests/shared/grub2.sh
@@ -2,9 +2,13 @@ test -n "$GRUB_CFG_ROOT" || GRUB_CFG_ROOT=/boot/grub2
 
 function set_grub_uefi_root {
 	if grep NAME /etc/os-release | grep -iq fedora; then
-		GRUB_CFG_ROOT=/boot/efi/EFI/fedora
-	else
-		GRUB_CFG_ROOT=/boot/efi/EFI/redhat
+		GRUB_CFG_ROOT=/boot/grub2
+	elif grep NAME /etc/os-release | grep -iq "Red Hat"; then
+		if grep VERSION /etc/os-release | grep -q '9\.0'; then
+			GRUB_CFG_ROOT=/boot/grub2
+		else
+			GRUB_CFG_ROOT=/boot/efi/EFI/redhat
+		fi
 	fi
 }
 

From a838226fc6b082ab73990613294328db49463c2b Mon Sep 17 00:00:00 2001
From: Matej Tyc 
Date: Thu, 5 Aug 2021 17:59:39 +0200
Subject: [PATCH 4/5] Add the sshd directory configuration rule

Remediations of other sshd rules assumes that sshd is configured using
multiple files as opposed to one huge file, and this rule
makes sure that the assumption is guarded.
---
 controls/anssi.yml                      | 3 +++
 products/rhel9/profiles/cis.profile     | 2 ++
 products/rhel9/profiles/cjis.profile    | 1 +
 products/rhel9/profiles/e8.profile      | 1 +
 products/rhel9/profiles/hipaa.profile   | 1 +
 products/rhel9/profiles/ism_o.profile   | 1 +
 products/rhel9/profiles/ospp.profile    | 1 +
 products/rhel9/profiles/pci-dss.profile | 1 +
 products/rhel9/profiles/rht-ccp.profile | 1 +
 9 files changed, 12 insertions(+)

diff --git a/controls/anssi.yml b/controls/anssi.yml
index 7737e67ea51..eee79cf1ef7 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -384,6 +384,9 @@ controls:
     - package_sudo_installed
     - audit_rules_privileged_commands_sudo
 
+    # This rule should be present in the profile at least once
+    - sshd_use_directory_configuration
+
   - id: R20
     levels:
     - enhanced
diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
index 622f88e3766..8d7816e5e2d 100644
--- a/products/rhel9/profiles/cis.profile
+++ b/products/rhel9/profiles/cis.profile
@@ -791,6 +791,8 @@ selections:
     - file_permissions_sshd_pub_key
     # TO DO: check owner of pub keys in /etc/ssh is root:root
 
+    # Ensure that the configuration is done the right way
+    - sshd_use_directory_configuration
     ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
     - sshd_set_loglevel_info
 
diff --git a/products/rhel9/profiles/cjis.profile b/products/rhel9/profiles/cjis.profile
index b45ba19d84f..0aaf7cb0206 100644
--- a/products/rhel9/profiles/cjis.profile
+++ b/products/rhel9/profiles/cjis.profile
@@ -98,6 +98,7 @@ selections:
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_lock_enabled
     - dconf_gnome_screensaver_mode_blank
+    - sshd_use_directory_configuration
     - sshd_allow_only_protocol2
     - sshd_set_idle_timeout
     - var_sshd_set_keepalive=0
diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile
index 6d87a778eee..3851255ccec 100644
--- a/products/rhel9/profiles/e8.profile
+++ b/products/rhel9/profiles/e8.profile
@@ -126,6 +126,7 @@ selections:
   - audit_rules_kernel_module_loading
 
   ### Secure access
+  - sshd_use_directory_configuration
   - sshd_disable_root_login
   - sshd_disable_gssapi_auth
   - sshd_print_last_log
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
index 797c62708e2..d1dc18ba33c 100644
--- a/products/rhel9/profiles/hipaa.profile
+++ b/products/rhel9/profiles/hipaa.profile
@@ -39,6 +39,7 @@ selections:
     - dconf_db_up_to_date
     - dconf_gnome_remote_access_credential_prompt
     - dconf_gnome_remote_access_encryption
+    - sshd_use_directory_configuration
     - sshd_disable_empty_passwords
     - sshd_disable_root_login
     - libreswan_approved_tunnels
diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile
index 82e863ad3d3..6fc919da128 100644
--- a/products/rhel9/profiles/ism_o.profile
+++ b/products/rhel9/profiles/ism_o.profile
@@ -56,6 +56,7 @@ selections:
   ## Authentication hardening
   ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
   ## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
+  - sshd_use_directory_configuration
   - sshd_max_auth_tries_value=5
   - disable_host_auth
   - require_emergency_target_auth
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index adec0cbd774..08ffcccd9e2 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -58,6 +58,7 @@ selections:
 
     ### Services
     # sshd
+    - sshd_use_directory_configuration
     - sshd_disable_root_login
     - sshd_enable_strictmodes
     - disable_host_auth
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
index 1fe85d39ae0..bd16dc97721 100644
--- a/products/rhel9/profiles/pci-dss.profile
+++ b/products/rhel9/profiles/pci-dss.profile
@@ -105,6 +105,7 @@ selections:
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_lock_enabled
     - dconf_gnome_screensaver_mode_blank
+    - sshd_use_directory_configuration
     - sshd_set_idle_timeout
     - var_sshd_set_keepalive=0
     - accounts_password_pam_minlen
diff --git a/products/rhel9/profiles/rht-ccp.profile b/products/rhel9/profiles/rht-ccp.profile
index e1d9a70b493..8576975aa54 100644
--- a/products/rhel9/profiles/rht-ccp.profile
+++ b/products/rhel9/profiles/rht-ccp.profile
@@ -87,6 +87,7 @@ selections:
     - service_telnet_disabled
     - package_telnet-server_removed
     - package_telnet_removed
+    - sshd_use_directory_configuration
     - sshd_allow_only_protocol2
     - sshd_set_idle_timeout
     - var_sshd_set_keepalive=0

From 470e496f8335c0d017bc82646537b03947b71941 Mon Sep 17 00:00:00 2001
From: Matej Tyc 
Date: Wed, 11 Aug 2021 16:43:00 +0200
Subject: [PATCH 5/5] Reflect fusion of rhel9 packages

Packages dnf-plugin-subscription-manager and subscription-manager are
merged to subscription-manager in RHEL9 - see
https://bugzilla.redhat.com/show_bug.cgi?id=1847910#c2
---
 .../rule.yml                                             | 3 +--
 .../package_subscription-manager_installed/rule.yml      | 9 ++++++++-
 products/rhel9/profiles/ospp.profile                     | 1 -
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 4f49b3b825d..8b6577226fb 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel8,rhel9
+prodtype: rhel8
 
 title: 'Install dnf-plugin-subscription-manager Package'
 
@@ -17,7 +17,6 @@ severity: medium
 
 identifiers:
     cce@rhel8: CCE-82315-3
-    cce@rhel9: CCE-89879-1
 
 references:
     ism: 0940,1144,1467,1472,1483,1493,1494,1495
diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
index b90a7588270..32e5ce9a129 100644
--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
@@ -12,7 +12,14 @@ rationale: |-
     and subscriptions on a local system to help manage subscription assignments.
     It communicates with the backend subscription service (the Customer Portal
     or an on-premise server such as Subscription Asset Manager) and works with
-    content management tools such as yum.
+    content management tools such as {{{ package_manager }}}.
+
+    {{% if product in ["rhel9"] %}}
+    The package provides, among other things, {{{ package_manager }}} plugins
+    to interact with repositories and subscriptions
+    from the Red Hat entitlement platform - the subscription-manager and
+    product-id plugins.
+    {{% endif %}}
 
 severity: medium
 
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 08ffcccd9e2..1b060c7bf07 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -178,7 +178,6 @@ selections:
     - package_aide_installed
     - package_dnf-automatic_installed
     - package_subscription-manager_installed
-    - package_dnf-plugin-subscription-manager_installed
     - package_firewalld_installed
     - package_openscap-scanner_installed
     - package_policycoreutils_installed