From 86fcd3db1d66bb846c12a7ecd857ba17734927b0 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 6 Jul 2022 16:55:59 +0200 Subject: [PATCH 1/3] Add grub2_systemd_debug-shell_argument_absent Create rule that ensure that systemd.debug-shell=1 is not defined for the kernel command line. --- .../rule.yml | 51 +++++++++++++++++++ shared/references/cce-redhat-avail.txt | 1 - 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml new file mode 100644 index 00000000000..8b6ff3bc333 --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml @@ -0,0 +1,51 @@ +documentation_complete: true + +title: 'Ensure debug-shell service is not enabled during boot' + +description: |- + systemd's debug-shell service is intended to + diagnose systemd related boot issues with various systemctl + commands. Once enabled and following a system reboot, the root shell + will be available on tty9 which is access by pressing + CTRL-ALT-F9. The debug-shell service should only be used + for systemd related issues and should otherwise be disabled. +

+ By default, the debug-shell systemd service is already disabled. + + Ensure the debug-shell is not enabled by the systemd.debug-shel=1 + boot paramenter option. + + Check that the line 
GRUB_CMDLINE_LINUX="..."
within /etc/default/grub + doesn't contain the argument systemd.debug-shell=1. + Run the following command to update command line for already installed kernels: + 
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
+ +rationale: |- + This prevents attackers with physical access from trivially bypassing security + on the machine through valid troubleshooting configurations and gaining root + access when the system is rebooted. + +severity: medium + +identifiers: + cce@rhel9: CCE-86292-0 + +references: + ospp: FIA_UAU.1 + +ocil_clause: 'the comand returns a line' + +ocil: |- + Ensure that debug-shell service is not enabled with the following command: + 
grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub
+ If the command returns a line, it means that debug-shell service is being enabled. + +fixtext: |- + {{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}} + +platform: machine + +template: + name: grub2_bootloader_argument_absent + vars: + arg_name: systemd.debug-shell diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 431b133d416..b7af828fdb0 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -271,7 +271,6 @@ CCE-86288-8 CCE-86289-6 CCE-86290-4 CCE-86291-2 -CCE-86292-0 CCE-86293-8 CCE-86294-6 CCE-86295-3 From 14381efdbc869ed9fadc31da1c510d1cf8c1522a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 8 Jul 2022 21:57:52 +0200 Subject: [PATCH 2/3] Add zipl_systemd_debug-shell_argument_absent Create rule that ensures systemd.debug-shell=1 is not defined for the kernel command line in zIPL. --- .../ansible/shared.yml | 38 ++++++++++++++ .../bash/shared.sh | 9 ++++ .../oval/shared.xml | 39 +++++++++++++++ .../rule.yml | 50 +++++++++++++++++++ .../tests/argument_missing.pass.sh | 8 +++ .../tests/configured_in_cmdline.fail.sh | 10 ++++ .../tests/configured_in_entry.fail.sh | 11 ++++ .../multiple_configured_in_cmdline.fail.sh | 7 +++ shared/references/cce-redhat-avail.txt | 1 - 9 files changed, 172 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml new file mode 100644 index 00000000000..790dd88b6b4 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml @@ -0,0 +1,38 @@ +# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +# reboot = true +# strategy = configure +# complexity = medium +# disruption = low + +- name: "Ensure BLS boot entries options contain systemd.debug-shell" + block: + - name: "Check how many boot entries set systemd.debug-shell" + find: + paths: "/boot/loader/entries/" + contains: "^options .*systemd.debug-shell.*$" + patterns: "*.conf" + register: n_entries + + - name: "Remove systemd.debug-shell from boot entries" + command: grubby --update-kernel=ALL --remove-args="systemd.debug-shell" + when: n_entries is defined and n_entries.matched >= 1 + + - name: "Check if /etc/kernel/cmdline exists" + stat: + path: /etc/kernel/cmdline + register: cmdline_stat + + - name: "Check if /etc/kernel/cmdline contains systemd.debug-shell" + find: + paths: "/etc/kernel/" + patterns: "cmdline" + contains: "^.*systemd.debug-shell.*$" + register: cmdline_find + + - name: "Remove systemd.debug-shell from /etc/kernel/cmdline" + lineinfile: + path: "/etc/kernel/cmdline" + backrefs: yes + regexp: '^(.*)\s*systemd.debug-shell\b\S*(.*)$' + line: '\1\2' + when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched >= 1 diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh new file mode 100644 index 00000000000..0d90d58db2c --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh @@ -0,0 +1,9 @@ +# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --remove-args="systemd.debug-shell" + +# Ensure new kernels and boot entries retain the boot option +if grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then + sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline +fi diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml new file mode 100644 index 00000000000..1399c6f662f --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml @@ -0,0 +1,39 @@ + + + {{{ oval_metadata("Ensure systemd.debug-shell option is not configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels won't have this option, it should not be configured in /etc/kernel/cmdline.") }}} + + + + + + + + + + + ^/boot/loader/entries/.*.conf + ^options (.*)$ + 1 + + + \bsystemd.debug-shell\b + + + + + + + ^/etc/kernel/cmdline + ^(.*)$ + 1 + + + \bsystemd.debug-shell\b + + diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml new file mode 100644 index 00000000000..3a442c4eb79 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml @@ -0,0 +1,50 @@ +documentation_complete: true + +prodtype: rhcos4,rhel8,rhel9 + +title: 'Ensure debug-shell service is not enabled in zIPL' + +description: |- + systemd's debug-shell service is intended to + diagnose systemd related boot issues with various systemctl + commands. Once enabled and following a system reboot, the root shell + will be available on tty9 which is access by pressing + CTRL-ALT-F9. The debug-shell service should only be used + for systemd related issues and should otherwise be disabled. +

+ By default, the debug-shell systemd service is already disabled. + + Ensure the debug-shell is not enabled by the systemd.debug-shel=1 + boot paramenter option. + + Check that not boot entries in /boot/loader/entries/*.conf have + systemd.debug-shell=1 included in its options.
+ To ensure that new kernels and boot entries don't enable the debug-shell, check + that systemd.debug-shell=1 is not present in /etc/kernel/cmdline. + +rationale: |- + This prevents attackers with physical access from trivially bypassing security + on the machine through valid troubleshooting configurations and gaining root + access when the system is rebooted. + +severity: medium + +identifiers: + cce@rhel9: CCE-86420-7 + +references: + ospp: FIA_UAU.1 + +ocil_clause: 'the comand returns a line' + +ocil: |- + Ensure that debug-shell service is not enabled with the following command: + 
sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that enables the debug-shell. + +platform: machine + +#template: +# name: zipl_bls_entries_option_absent +# vars: +# arg_name: systemd.debug-shell diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh new file mode 100644 index 00000000000..4649db979cf --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + +# Make sure boot loader entries don't contain systemd.debug-shell +sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* + +# Make sure /etc/kernel/cmdline doesn't contain systemd\.debug-shell +sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh new file mode 100644 index 00000000000..faac856fbed --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + +# Make sure boot loader entries doesn't contain systemd.debug-shell +sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* + +# Make sure /etc/kernel/cmdline contains systemd.debug-shell +if ! grep -qs '^(.*\s)?systemd.debug-shell(\s.*)?$' /etc/kernel/cmdline ; then + echo "systemd.debug-shell=1" >> /etc/kernel/cmdline +fi diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh new file mode 100644 index 00000000000..fe07a37d0c3 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + +# Remove systemd.debug-shell from all boot entries +sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* +# But make sure one boot loader entry contains systemd.debug-shell +sed -i '/^options / s/$/ systemd.debug-shell=1/' /boot/loader/entries/*rescue.conf +sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf + +# Make sure /etc/kernel/cmdline doesn't contain systemd.debug-shell +sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh new file mode 100644 index 00000000000..0c2febb0370 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + +# Make sure boot loader entries doesn't contain systemd.debug-shell +sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* + +echo "option1 systemd.debug-shell=1 option2" > /etc/kernel/cmdline diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index b7af828fdb0..254fa817f8e 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -376,7 +376,6 @@ CCE-86416-5 CCE-86417-3 CCE-86418-1 CCE-86419-9 -CCE-86420-7 CCE-86424-9 CCE-86425-6 CCE-86426-4 From 2af504b656fa0a273df5bb4ce7670310a414b29c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 7 Jul 2022 09:37:46 +0200 Subject: [PATCH 3/3] Select grub debug-shell rule in RHEL9 OSPP --- products/rhel9/profiles/ospp.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index f902dd5e7cd..f1faaedb812 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -75,6 +75,7 @@ selections: - disable_ctrlaltdel_reboot - disable_ctrlaltdel_burstaction - service_debug-shell_disabled + - grub2_systemd_debug-shell_argument_absent ### umask - var_accounts_user_umask=027 @@ -380,3 +381,4 @@ selections: - zipl_audit_backlog_limit_argument - zipl_init_on_alloc_argument - zipl_page_alloc_shuffle_argument + - zipl_systemd_debug-shell_argument_absent