scap-security-guide/scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch

From 86fcd3db1d66bb846c12a7ecd857ba17734927b0 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 6 Jul 2022 16:55:59 +0200
Subject: [PATCH 1/3] Add grub2_systemd_debug-shell_argument_absent

Create rule that ensure that systemd.debug-shell=1 is not defined for
the kernel command line.
---
 .../rule.yml                                  | 51 +++++++++++++++++++
 shared/references/cce-redhat-avail.txt        |  1 -
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
new file mode 100644
index 00000000000..8b6ff3bc333
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
@@ -0,0 +1,51 @@
+documentation_complete: true
+
+title: 'Ensure debug-shell service is not enabled during boot'
+
+description: |-
+    systemd's <tt>debug-shell</tt> service is intended to
+    diagnose systemd related boot issues with various <tt>systemctl</tt>
+    commands. Once enabled and following a system reboot, the root shell
+    will be available on <tt>tty9</tt> which is access by pressing
+    <tt>CTRL-ALT-F9</tt>. The <tt>debug-shell</tt> service should only be used
+    for systemd related issues and should otherwise be disabled.
+    <br /><br />
+    By default, the <tt>debug-shell</tt> systemd service is already disabled.
+
+    Ensure the debug-shell is not enabled by the <tt>systemd.debug-shel=1</tt>
+    boot paramenter option.
+
+    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+    doesn't contain the argument <tt>systemd.debug-shell=1</tt>.
+    Run the following command to update command line for already installed kernels:
+    <pre># grubby --update-kernel=ALL --remove-args="systemd.debug-shell"</pre>
+
+rationale: |-
+    This prevents attackers with physical access from trivially bypassing security
+    on the machine through valid troubleshooting configurations and gaining root
+    access when the system is rebooted.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86292-0
+
+references:
+    ospp: FIA_UAU.1
+
+ocil_clause: 'the comand returns a line'
+
+ocil: |-
+    Ensure that debug-shell service is not enabled with the following command:
+    <pre>grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub</pre>
+    If the command returns a line, it means that debug-shell service is being enabled.
+
+fixtext: |-
+    {{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}}
+
+platform: machine
+
+template:
+    name: grub2_bootloader_argument_absent
+    vars:
+        arg_name: systemd.debug-shell
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 431b133d416..b7af828fdb0 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -271,7 +271,6 @@ CCE-86288-8
 CCE-86289-6
 CCE-86290-4
 CCE-86291-2
-CCE-86292-0
 CCE-86293-8
 CCE-86294-6
 CCE-86295-3

From 14381efdbc869ed9fadc31da1c510d1cf8c1522a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 8 Jul 2022 21:57:52 +0200
Subject: [PATCH 2/3] Add zipl_systemd_debug-shell_argument_absent

Create rule that ensures systemd.debug-shell=1 is not defined for the
kernel command line in zIPL.
---
 .../ansible/shared.yml                        | 38 ++++++++++++++
 .../bash/shared.sh                            |  9 ++++
 .../oval/shared.xml                           | 39 +++++++++++++++
 .../rule.yml                                  | 50 +++++++++++++++++++
 .../tests/argument_missing.pass.sh            |  8 +++
 .../tests/configured_in_cmdline.fail.sh       | 10 ++++
 .../tests/configured_in_entry.fail.sh         | 11 ++++
 .../multiple_configured_in_cmdline.fail.sh    |  7 +++
 shared/references/cce-redhat-avail.txt        |  1 -
 9 files changed, 172 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
new file mode 100644
index 00000000000..790dd88b6b4
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
@@ -0,0 +1,38 @@
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# reboot = true
+# strategy = configure
+# complexity = medium
+# disruption = low
+
+- name: "Ensure BLS boot entries options contain systemd.debug-shell"
+  block:
+    - name: "Check how many boot entries set systemd.debug-shell"
+      find:
+        paths: "/boot/loader/entries/"
+        contains: "^options .*systemd.debug-shell.*$"
+        patterns: "*.conf"
+      register: n_entries
+
+    - name: "Remove systemd.debug-shell from boot entries"
+      command: grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
+      when: n_entries is defined and n_entries.matched >= 1
+
+    - name: "Check if /etc/kernel/cmdline exists"
+      stat:
+        path: /etc/kernel/cmdline
+      register: cmdline_stat
+
+    - name: "Check if /etc/kernel/cmdline contains systemd.debug-shell"
+      find:
+        paths: "/etc/kernel/"
+        patterns: "cmdline"
+        contains: "^.*systemd.debug-shell.*$"
+      register: cmdline_find
+
+    - name: "Remove systemd.debug-shell from /etc/kernel/cmdline"
+      lineinfile:
+        path: "/etc/kernel/cmdline"
+        backrefs: yes
+        regexp: '^(.*)\s*systemd.debug-shell\b\S*(.*)$'
+        line: '\1\2'
+      when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched >= 1
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
new file mode 100644
index 00000000000..0d90d58db2c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+
+# Correct BLS option using grubby, which is a thin wrapper around BLS operations
+grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
+
+# Ensure new kernels and boot entries retain the boot option
+if grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then
+    sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline
+fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
new file mode 100644
index 00000000000..1399c6f662f
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
@@ -0,0 +1,39 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+  {{{ oval_metadata("Ensure systemd.debug-shell option is not configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels won't have this option, it should not be configured in /etc/kernel/cmdline.") }}}
+    <criteria operator="AND">
+      <criterion comment="Check if argument systemd.debug-shell for Linux kernel is not present in /boot/loader/entries/.*.conf"
+      test_ref="test_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" negate="true"/>
+      <criterion comment="Check if argument systemd.debug-shell for Linux kernel is not present in /etc/kernel/cmdline"
+      test_ref="test_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" negate="true"/>
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test id="test_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf"
+  comment="Check if argument systemd.debug-shell is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
+  check="at least one" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" />
+    <ind:state state_ref="state_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" version="1">
+    <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">\bsystemd.debug-shell\b</ind:subexpression>
+
+  </ind:textfilecontent54_state><ind:textfilecontent54_test id="test_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline"
+  comment="Check if argument systemd.debug-shell is present in /etc/kernel/cmdline"
+  check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" />
+    <ind:state state_ref="state_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" version="1">
+    <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
+    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">\bsystemd.debug-shell\b</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
new file mode 100644
index 00000000000..3a442c4eb79
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
@@ -0,0 +1,50 @@
+documentation_complete: true
+
+prodtype: rhcos4,rhel8,rhel9
+
+title: 'Ensure debug-shell service is not enabled in zIPL'
+
+description: |-
+    systemd's <tt>debug-shell</tt> service is intended to
+    diagnose systemd related boot issues with various <tt>systemctl</tt>
+    commands. Once enabled and following a system reboot, the root shell
+    will be available on <tt>tty9</tt> which is access by pressing
+    <tt>CTRL-ALT-F9</tt>. The <tt>debug-shell</tt> service should only be used
+    for systemd related issues and should otherwise be disabled.
+    <br /><br />
+    By default, the <tt>debug-shell</tt> systemd service is already disabled.
+
+    Ensure the debug-shell is not enabled by the <tt>systemd.debug-shel=1</tt>
+    boot paramenter option.
+
+    Check that not boot entries in <tt>/boot/loader/entries/*.conf</tt> have
+    <tt>systemd.debug-shell=1</tt> included in its options.<br />
+    To ensure that new kernels and boot entries don't enable the debug-shell, check
+    that <tt>systemd.debug-shell=1</tt> is not present in <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+    This prevents attackers with physical access from trivially bypassing security
+    on the machine through valid troubleshooting configurations and gaining root
+    access when the system is rebooted.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86420-7
+
+references:
+    ospp: FIA_UAU.1
+
+ocil_clause: 'the comand returns a line'
+
+ocil: |-
+    Ensure that debug-shell service is not enabled with the following command:
+    <pre>sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf</pre>
+    No line should be returned, each line returned is a boot entry that enables the debug-shell.
+
+platform: machine
+
+#template:
+#  name: zipl_bls_entries_option_absent
+#  vars:
+#    arg_name: systemd.debug-shell
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
new file mode 100644
index 00000000000..4649db979cf
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries don't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+# Make sure /etc/kernel/cmdline doesn't contain systemd\.debug-shell
+sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
new file mode 100644
index 00000000000..faac856fbed
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries doesn't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+# Make sure /etc/kernel/cmdline contains systemd.debug-shell
+if ! grep -qs '^(.*\s)?systemd.debug-shell(\s.*)?$' /etc/kernel/cmdline ; then
+    echo "systemd.debug-shell=1" >> /etc/kernel/cmdline
+fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
new file mode 100644
index 00000000000..fe07a37d0c3
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Remove systemd.debug-shell from all boot entries
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+# But make sure one boot loader entry contains systemd.debug-shell
+sed -i '/^options / s/$/ systemd.debug-shell=1/' /boot/loader/entries/*rescue.conf
+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+
+# Make sure /etc/kernel/cmdline doesn't contain systemd.debug-shell
+sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh
new file mode 100644
index 00000000000..0c2febb0370
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries doesn't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+echo "option1 systemd.debug-shell=1 option2" > /etc/kernel/cmdline
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index b7af828fdb0..254fa817f8e 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -376,7 +376,6 @@ CCE-86416-5
 CCE-86417-3
 CCE-86418-1
 CCE-86419-9
-CCE-86420-7
 CCE-86424-9
 CCE-86425-6
 CCE-86426-4

From 2af504b656fa0a273df5bb4ce7670310a414b29c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 7 Jul 2022 09:37:46 +0200
Subject: [PATCH 3/3] Select grub debug-shell rule in RHEL9 OSPP

---
 products/rhel9/profiles/ospp.profile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index f902dd5e7cd..f1faaedb812 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -75,6 +75,7 @@ selections:
     - disable_ctrlaltdel_reboot
     - disable_ctrlaltdel_burstaction
     - service_debug-shell_disabled
+    - grub2_systemd_debug-shell_argument_absent
 
     ### umask
     - var_accounts_user_umask=027
@@ -380,3 +381,4 @@ selections:
     - zipl_audit_backlog_limit_argument
     - zipl_init_on_alloc_argument
     - zipl_page_alloc_shuffle_argument
+    - zipl_systemd_debug-shell_argument_absent