|
|
0cd8e1 |
From 2e618f9239de966ec167f7b43ae854650a3421ad Mon Sep 17 00:00:00 2001
|
|
|
0cd8e1 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0cd8e1 |
Date: Wed, 3 Apr 2019 18:05:15 +0200
|
|
|
0cd8e1 |
Subject: [PATCH 1/3] Introduce CPE shadow-utils
|
|
|
0cd8e1 |
|
|
|
0cd8e1 |
- Add inventory OVAL check for shadow-utils package installed
|
|
|
0cd8e1 |
- Add shadow-utils CPE to RHEL7 dictionary
|
|
|
0cd8e1 |
---
|
|
|
0cd8e1 |
rhel7/cpe/rhel7-cpe-dictionary.xml | 5 ++++
|
|
|
0cd8e1 |
...installed_env_has_shadow-utils_package.xml | 24 +++++++++++++++++++
|
|
|
0cd8e1 |
2 files changed, 29 insertions(+)
|
|
|
0cd8e1 |
create mode 100644 shared/checks/oval/installed_env_has_shadow-utils_package.xml
|
|
|
0cd8e1 |
|
|
|
0cd8e1 |
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
|
|
|
0cd8e1 |
index 23541378f8..44fe06f103 100644
|
|
|
0cd8e1 |
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
|
|
|
0cd8e1 |
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
|
|
|
0cd8e1 |
@@ -47,4 +47,9 @@
|
|
|
0cd8e1 |
|
|
|
0cd8e1 |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_machine</check>
|
|
|
0cd8e1 |
</cpe-item>
|
|
|
0cd8e1 |
+ <cpe-item name="cpe:/a:shadow-utils">
|
|
|
0cd8e1 |
+ <title xml:lang="en-us">Package shadow-utils is installed</title>
|
|
|
0cd8e1 |
+
|
|
|
0cd8e1 |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_shadow-utils_package</check>
|
|
|
0cd8e1 |
+ </cpe-item>
|
|
|
0cd8e1 |
</cpe-list>
|
|
|
0cd8e1 |
diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
|
|
|
0cd8e1 |
new file mode 100644
|
|
|
0cd8e1 |
index 0000000000..12dd5bd565
|
|
|
0cd8e1 |
--- /dev/null
|
|
|
0cd8e1 |
+++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
|
|
|
0cd8e1 |
@@ -0,0 +1,24 @@
|
|
|
0cd8e1 |
+<def-group>
|
|
|
0cd8e1 |
+
|
|
|
0cd8e1 |
+ id="installed_env_has_shadow-utils_package" version="1">
|
|
|
0cd8e1 |
+ <metadata>
|
|
|
0cd8e1 |
+ <title>Package shadow-utils is installed</title>
|
|
|
0cd8e1 |
+ <affected family="unix">
|
|
|
0cd8e1 |
+ <platform>multi_platform_all</platform>
|
|
|
0cd8e1 |
+ </affected>
|
|
|
0cd8e1 |
+ <description>Checks if package shadow-utils is installed.</description>
|
|
|
0cd8e1 |
+ <reference ref_id="cpe:/a:shadow-utils" source="CPE" />
|
|
|
0cd8e1 |
+ </metadata>
|
|
|
0cd8e1 |
+ <criteria>
|
|
|
0cd8e1 |
+ <criterion comment="Package shadow-utils is installed" test_ref="test_env_has_shadow-utils_installed" />
|
|
|
0cd8e1 |
+ </criteria>
|
|
|
0cd8e1 |
+ </definition>
|
|
|
0cd8e1 |
+
|
|
|
0cd8e1 |
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package shadow-utils installed" id="test_env_has_shadow-utils_installed" version="1">
|
|
|
0cd8e1 |
+ <linux:object object_ref="obj_env_has_shadow-utils_installed" />
|
|
|
0cd8e1 |
+ </linux:rpminfo_test>
|
|
|
0cd8e1 |
+ <linux:rpminfo_object id="obj_env_has_shadow-utils_installed" version="1">
|
|
|
0cd8e1 |
+ <linux:name>shadow-utils</linux:name>
|
|
|
0cd8e1 |
+ </linux:rpminfo_object>
|
|
|
0cd8e1 |
+
|
|
|
0cd8e1 |
+</def-group>
|
|
|
0cd8e1 |
|
|
|
0cd8e1 |
From 06650f96e4e880c90a23eaf565e70d37a175aa47 Mon Sep 17 00:00:00 2001
|
|
|
0cd8e1 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0cd8e1 |
Date: Wed, 3 Apr 2019 18:10:33 +0200
|
|
|
0cd8e1 |
Subject: [PATCH 2/3] Rules are applicable when shadow-utils installed
|
|
|
0cd8e1 |
|
|
|
0cd8e1 |
If package shadow-utils is not installed, the rule will result in
|
|
|
0cd8e1 |
notapplicable.
|
|
|
0cd8e1 |
---
|
|
|
0cd8e1 |
.../account_disable_post_pw_expiration.rule | 2 ++
|
|
|
0cd8e1 |
.../accounts_maximum_age_login_defs.rule | 2 ++
|
|
|
0cd8e1 |
.../accounts_minimum_age_login_defs.rule | 2 ++
|
|
|
0cd8e1 |
.../accounts_password_minlen_login_defs.rule | 2 ++
|
|
|
0cd8e1 |
.../accounts_password_warn_age_login_defs.rule | 2 ++
|
|
|
0cd8e1 |
.../accounts-session/accounts_logon_fail_delay.rule | 2 ++
|
|
|
0cd8e1 |
6 files changed, 12 insertions(+)
|
|
|
0cd8e1 |
|
|
|
0cd8e1 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule
|
|
|
0cd8e1 |
index 9d19274f1c..d8b29b6436 100644
|
|
|
0cd8e1 |
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule
|
|
|
0cd8e1 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule
|
|
|
0cd8e1 |
@@ -62,3 +62,5 @@ ocil: |-
|
|
|
0cd8e1 |
to an appropriate integer as shown in the example below:
|
|
|
0cd8e1 |
$ grep "INACTIVE" /etc/default/useradd
|
|
|
0cd8e1 |
INACTIVE=<sub idref="var_account_disable_post_pw_expiration" />
|
|
|
0cd8e1 |
+
|
|
|
0cd8e1 |
+platform: shadow-utils
|
|
|
0cd8e1 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule
|
|
|
0cd8e1 |
index 90dc1b4f2b..de322bc787 100644
|
|
|
0cd8e1 |
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule
|
|
|
0cd8e1 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule
|
|
|
0cd8e1 |
@@ -55,3 +55,5 @@ ocil: |-
|
|
|
0cd8e1 |
$ grep PASS_MAX_DAYS /etc/login.defs
|
|
|
0cd8e1 |
The DoD and FISMA requirement is 60.
|
|
|
0cd8e1 |
A value of 180 days is sufficient for many environments.
|
|
|
0cd8e1 |
+
|
|
|
0cd8e1 |
+platform: shadow-utils
|
|
|
0cd8e1 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule
|
|
|
0cd8e1 |
index 88706c8b3e..dd7030cd0a 100644
|
|
|
0cd8e1 |
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule
|
|
|
0cd8e1 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule
|
|
|
0cd8e1 |
@@ -49,3 +49,5 @@ ocil_clause: 'it is not equal to or greater than the required value'
|
|
|
0cd8e1 |
ocil: |-
|
|
|
0cd8e1 |
To check the minimum password age, run the command:
|
|
|
0cd8e1 |
$ grep PASS_MIN_DAYS /etc/login.defs
|
|
|
0cd8e1 |
+
|
|
|
0cd8e1 |
+platform: shadow-utils
|
|
|
0cd8e1 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule
|
|
|
0cd8e1 |
index 814fda94b9..d38ee253fb 100644
|
|
|
0cd8e1 |
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule
|
|
|
0cd8e1 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule
|
|
|
0cd8e1 |
@@ -51,3 +51,5 @@ ocil: |-
|
|
|
0cd8e1 |
To check the minimum password length, run the command:
|
|
|
0cd8e1 |
$ grep PASS_MIN_LEN /etc/login.defs
|
|
|
0cd8e1 |
The DoD requirement is <tt>15</tt>.
|
|
|
0cd8e1 |
+
|
|
|
0cd8e1 |
+platform: shadow-utils
|
|
|
0cd8e1 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule
|
|
|
0cd8e1 |
index d8947ad9fd..85b5cd762f 100644
|
|
|
0cd8e1 |
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule
|
|
|
0cd8e1 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule
|
|
|
0cd8e1 |
@@ -40,3 +40,5 @@ ocil: |-
|
|
|
0cd8e1 |
To check the password warning age, run the command:
|
|
|
0cd8e1 |
$ grep PASS_WARN_AGE /etc/login.defs
|
|
|
0cd8e1 |
The DoD requirement is 7.
|
|
|
0cd8e1 |
+
|
|
|
0cd8e1 |
+platform: shadow-utils
|
|
|
0cd8e1 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule
|
|
|
0cd8e1 |
index 171051e138..33fc873e97 100644
|
|
|
0cd8e1 |
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule
|
|
|
0cd8e1 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule
|
|
|
0cd8e1 |
@@ -37,3 +37,5 @@ ocil: |-
|
|
|
0cd8e1 |
All output must show the value of <tt>FAIL_DELAY</tt> set as shown in the below:
|
|
|
0cd8e1 |
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
|
|
|
0cd8e1 |
fail_delay <sub idref="var_accounts_fail_delay" />
|
|
|
0cd8e1 |
+
|
|
|
0cd8e1 |
+platform: shadow-utils
|
|
|
0cd8e1 |
|
|
|
0cd8e1 |
From 63ab7328a57c185734037a124eab2ab8ac740e82 Mon Sep 17 00:00:00 2001
|
|
|
0cd8e1 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0cd8e1 |
Date: Wed, 3 Apr 2019 18:14:58 +0200
|
|
|
0cd8e1 |
Subject: [PATCH 3/3] Map shadow-utils platform to CPE name
|
|
|
0cd8e1 |
|
|
|
0cd8e1 |
---
|
|
|
0cd8e1 |
ssg/constants.py | 3 ++-
|
|
|
0cd8e1 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
0cd8e1 |
|
|
|
0cd8e1 |
diff --git a/ssg/constants.py b/ssg/constants.py
|
|
|
0cd8e1 |
index b80382be3d..f96fd51790 100644
|
|
|
0cd8e1 |
--- a/ssg/constants.py
|
|
|
0cd8e1 |
+++ b/ssg/constants.py
|
|
|
0cd8e1 |
@@ -375,7 +375,8 @@
|
|
|
0cd8e1 |
|
|
|
0cd8e1 |
XCCDF_PLATFORM_TO_CPE = {
|
|
|
0cd8e1 |
"machine": "cpe:/a:machine",
|
|
|
0cd8e1 |
- "container": "cpe:/a:container"
|
|
|
0cd8e1 |
+ "container": "cpe:/a:container",
|
|
|
0cd8e1 |
+ "shadow-utils": "cpe:/a:shadow-utils",
|
|
|
0cd8e1 |
}
|
|
|
0cd8e1 |
|
|
|
0cd8e1 |
# Application constants
|