scap-security-guide/scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch

From d303ee9d0dcdf1d1fa57b50454aa2a9692381e93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 15:46:31 +0200
Subject: [PATCH 1/5] Create rule grub2_disable_recovery

Create a rule that only checks for the GRUB_DISABLE_RECOVERY=true
option in /etc/default/grub. The rule is similar to
grub2_disable_interactive_boot, but that one in addition checks
for systemd.confirm_spawn. This is introduced for OSPP.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809
---
 .../grub2_disable_recovery/ansible/shared.yml | 20 +++++++++
 .../grub2_disable_recovery/bash/shared.sh     | 13 ++++++
 .../grub2_disable_recovery/oval/shared.xml    |  9 ++++
 .../grub2_disable_recovery/rule.yml           | 43 +++++++++++++++++++
 .../tests/correct_value.pass.sh               |  3 ++
 .../tests/wrong_value.fail.sh                 |  3 ++
 shared/references/cce-redhat-avail.txt        |  1 -
 7 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
 create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh
 create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml
 create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
 create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
 create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
new file mode 100644
index 00000000000..f6285cb13cb
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
@@ -0,0 +1,20 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Verify GRUB_DISABLE_RECOVERY=true
+  lineinfile:
+    path: /etc/default/grub
+    regexp: '^GRUB_DISABLE_RECOVERY=.*'
+    line: 'GRUB_DISABLE_RECOVERY=true'
+    state: present
+
+{{% if product in ['sle12', 'sle15'] %}}
+- name: Update grub defaults and the bootloader menu
+  command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
+{{% else %}}
+- name: Update grub defaults and the bootloader menu
+  command: /sbin/grubby --update-kernel=ALL
+{{% endif -%}}
\ No newline at end of file
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh
new file mode 100644
index 00000000000..78322e63446
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+if grep -q '^GRUB_DISABLE_RECOVERY=.*'  '/etc/default/grub' ; then
+    sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub"
+else
+    echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
+fi
+
+{{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml
new file mode 100644
index 00000000000..10adbe0a30b
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml
@@ -0,0 +1,9 @@
+<def-group>
+  <definition class="compliance" id="grub2_disable_recovery" version="1">
+    {{{ oval_metadata("Recovery mode should be disabled.") }}}
+    <criteria operator="AND">
+      <extend_definition definition_ref="bootloader_disable_recovery_set_to_true"
+      comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
+    </criteria>
+  </definition>
+</def-group>
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
new file mode 100644
index 00000000000..4f8d4ddcfde
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
@@ -0,0 +1,43 @@
+documentation_complete: true
+
+title: 'Disable Recovery Booting'
+
+description: |-
+    {{{ full_name }}} systems support an "recovery boot" option that can be used
+    to prevent services from being started. The <tt>GRUB_DISABLE_RECOVERY</tt>
+    configuration option in <tt>/etc/default/grub</tt> should be set to
+    <tt>true</tt> to disable the generation of recovery mode menu entries. It is
+    also required to change the runtime configuration, run:
+    <pre>$ sudo {{{ grub_command("update") }}}</pre>
+
+rationale: |-
+    Using recovery boot, the console user could disable auditing, firewalls,
+    or other services, weakening system security.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-85986-8
+
+references:
+    ospp: FIA_UAU.1
+
+ocil_clause: 'GRUB_DISABLE_RECOVERY is not set to true or is missing'
+
+ocil: |-
+    Verify that <tt>GRUB_DISABLE_RECOVERY</tt> is set to </tt>true</tt> in <tt>/etc/default/grub</tt> to disable recovery boot.
+    Run the following command:
+
+    $ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub
+
+fixtext: |-
+    Configure the GRUB 2 boot loader to disable recovery mode boot loader entries.
+    Add or edit the following line in /etc/default/grub:
+
+    GRUB_DISABLE_RECOVERY=true
+
+    Then, run the following command:
+
+    $ sudo {{{ grub_command("update") }}}
+
+platform: grub2
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
new file mode 100644
index 00000000000..cb8824a6bef
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
\ No newline at end of file
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..7241fd5aad6
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub'
\ No newline at end of file
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ee246384416..431b133d416 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -44,7 +44,6 @@ CCE-85982-7
 CCE-85983-5
 CCE-85984-3
 CCE-85985-0
-CCE-85986-8
 CCE-85988-4
 CCE-85997-5
 CCE-85998-3

From 5637b1465c1ceb40efb33ebdd2cf8b4211a4ef9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 15:52:10 +0200
Subject: [PATCH 2/5] Stop checking systemd.confirm_spawn in RHEL 9 OSPP

Use grub2_disable_recovery instead of grub2_disable_interactive_boot
to check solely for the GRUB_DISABLE_RECOVERY=true config option.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809
---
 products/rhel9/profiles/ospp.profile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 534b3312575..8245bb9ce63 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -275,7 +275,7 @@ selections:
     ## Disable Unauthenticated Login (such as Guest Accounts)
     ## FIA_UAU.1
     - require_singleuser_auth
-    - grub2_disable_interactive_boot
+    - grub2_disable_recovery
     - grub2_uefi_password
     - no_empty_passwords
 

From 09f11408ed83da07238ad5fccf89d59b4b2707fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 16:05:22 +0200
Subject: [PATCH 3/5] Fix regular expression

The original expression `^true|"true"$` could match things like
`truex` or `x"true"` because the first alternative doesn't contain
`$` and the second alternative doesn't contain `^`.
---
 shared/checks/oval/bootloader_disable_recovery_set_to_true.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml
index 563006cd803..ff64177d6df 100644
--- a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml
+++ b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml
@@ -31,7 +31,7 @@
 
   <ind:textfilecontent54_state id="state_bootloader_disable_recovery_argument"
   version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^true|"true"$</ind:subexpression>
+    <ind:subexpression datatype="string" operation="pattern match">^(true|"true")$</ind:subexpression>
   </ind:textfilecontent54_state>
 
 </def-group>

From 2900fb986dc21ec4ce78a8b9f27f89b4d8fafbee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 17:18:37 +0200
Subject: [PATCH 4/5] Improve a regular expression

According to
https://www.freedesktop.org/software/systemd/man/systemd.html#systemd.confirm_spawn
the option systemd.confirm_spawn can be also specified without an
argument, with the same effect as a positive boolean. This commit
changes the regular expression used in checks for this, forbidding also
the occurence of systemd.confirm_spawn without any argument. Also
improves whitespace handling. Also adds a test scenario covering the
situation in which the systemd.confirm_spawn is also specified without
an argument.
---
 .../oval/shared.xml                           |  2 +-
 ...led_interactive_boot_empty_boolean.fail.sh | 25 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
index 837fc037300..e7358a49fa9 100644
--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
@@ -25,7 +25,7 @@
   <ind:textfilecontent54_object id="object_grub2_disable_interactive_boot_grub_cmdline_linux"
   version="1">
     <ind:filepath>/etc/default/grub</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$</ind:pattern>
+    <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(?:.*\s)?systemd\.confirm_spawn(?:=(?:1|yes|true|on))?(?:\s.*)?"$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh
new file mode 100644
index 00000000000..37a12f021e4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# The option systemd.confirm_spawn can be also specified without an argument,
+# with the same effect as a positive boolean.
+CONFIRM_SPAWN_OPT="systemd.confirm_spawn"
+
+if grep -q "^GRUB_CMDLINE_LINUX=" /etc/default/grub; then
+	if grep -q "^GRUB_CMDLINE_LINUX=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then
+		sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub
+	else
+		sed -i "s/\(^GRUB_CMDLINE_LINUX=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub
+	fi
+else
+	echo "GRUB_CMDLINE_LINUX=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub
+fi
+
+if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub; then
+	if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then
+		sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub
+	else
+		sed -i "s/\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub
+	fi
+else
+	echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub
+fi

From 3cf7a22b59f52b2149d3ce54ef6bcd94ba9f8901 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 17:36:07 +0200
Subject: [PATCH 5/5] Fix missing newlines at EOF

---
 .../bootloader-grub2/grub2_disable_recovery/ansible/shared.yml  | 2 +-
 .../grub2_disable_recovery/tests/correct_value.pass.sh          | 2 +-
 .../grub2_disable_recovery/tests/wrong_value.fail.sh            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
index f6285cb13cb..4348e239f2e 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
@@ -17,4 +17,4 @@
 {{% else %}}
 - name: Update grub defaults and the bootloader menu
   command: /sbin/grubby --update-kernel=ALL
-{{% endif -%}}
\ No newline at end of file
+{{% endif -%}}
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
index cb8824a6bef..e8fa3574436 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
\ No newline at end of file
+echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
index 7241fd5aad6..20392dc7f7a 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub'
\ No newline at end of file
+echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub'