Blame SOURCES/scap-security-guide-0.1.44-cpe-shadow-utils.patch

0cd8e1
From 2e618f9239de966ec167f7b43ae854650a3421ad Mon Sep 17 00:00:00 2001
0cd8e1
From: Watson Sato <wsato@redhat.com>
0cd8e1
Date: Wed, 3 Apr 2019 18:05:15 +0200
0cd8e1
Subject: [PATCH 1/3] Introduce CPE shadow-utils
0cd8e1
0cd8e1
- Add inventory OVAL check for shadow-utils package installed
0cd8e1
- Add shadow-utils CPE to RHEL7 dictionary
0cd8e1
---
0cd8e1
 rhel7/cpe/rhel7-cpe-dictionary.xml            |  5 ++++
0cd8e1
 ...installed_env_has_shadow-utils_package.xml | 24 +++++++++++++++++++
0cd8e1
 2 files changed, 29 insertions(+)
0cd8e1
 create mode 100644 shared/checks/oval/installed_env_has_shadow-utils_package.xml
0cd8e1
0cd8e1
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
0cd8e1
index 23541378f8..44fe06f103 100644
0cd8e1
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
0cd8e1
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
0cd8e1
@@ -47,4 +47,9 @@
0cd8e1
             
0cd8e1
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_machine</check>
0cd8e1
       </cpe-item>
0cd8e1
+      <cpe-item name="cpe:/a:shadow-utils">
0cd8e1
+            <title xml:lang="en-us">Package shadow-utils is installed</title>
0cd8e1
+            
0cd8e1
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_shadow-utils_package</check>
0cd8e1
+      </cpe-item>
0cd8e1
 </cpe-list>
0cd8e1
diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
0cd8e1
new file mode 100644
0cd8e1
index 0000000000..12dd5bd565
0cd8e1
--- /dev/null
0cd8e1
+++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
0cd8e1
@@ -0,0 +1,24 @@
0cd8e1
+<def-group>
0cd8e1
+  
0cd8e1
+  id="installed_env_has_shadow-utils_package" version="1">
0cd8e1
+    <metadata>
0cd8e1
+      <title>Package shadow-utils is installed</title>
0cd8e1
+      <affected family="unix">
0cd8e1
+        <platform>multi_platform_all</platform>
0cd8e1
+      </affected>
0cd8e1
+      <description>Checks if package shadow-utils is installed.</description>
0cd8e1
+      <reference ref_id="cpe:/a:shadow-utils" source="CPE" />
0cd8e1
+    </metadata>
0cd8e1
+    <criteria>
0cd8e1
+      <criterion comment="Package shadow-utils is installed" test_ref="test_env_has_shadow-utils_installed" />
0cd8e1
+    </criteria>
0cd8e1
+  </definition>
0cd8e1
+
0cd8e1
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package shadow-utils installed" id="test_env_has_shadow-utils_installed" version="1">
0cd8e1
+    <linux:object object_ref="obj_env_has_shadow-utils_installed" />
0cd8e1
+  </linux:rpminfo_test>
0cd8e1
+  <linux:rpminfo_object id="obj_env_has_shadow-utils_installed" version="1">
0cd8e1
+    <linux:name>shadow-utils</linux:name>
0cd8e1
+  </linux:rpminfo_object>
0cd8e1
+
0cd8e1
+</def-group>
0cd8e1
0cd8e1
From 06650f96e4e880c90a23eaf565e70d37a175aa47 Mon Sep 17 00:00:00 2001
0cd8e1
From: Watson Sato <wsato@redhat.com>
0cd8e1
Date: Wed, 3 Apr 2019 18:10:33 +0200
0cd8e1
Subject: [PATCH 2/3] Rules are applicable when shadow-utils installed
0cd8e1
0cd8e1
If package shadow-utils is not installed, the rule will result in
0cd8e1
notapplicable.
0cd8e1
---
0cd8e1
 .../account_disable_post_pw_expiration.rule                     | 2 ++
0cd8e1
 .../accounts_maximum_age_login_defs.rule                        | 2 ++
0cd8e1
 .../accounts_minimum_age_login_defs.rule                        | 2 ++
0cd8e1
 .../accounts_password_minlen_login_defs.rule                    | 2 ++
0cd8e1
 .../accounts_password_warn_age_login_defs.rule                  | 2 ++
0cd8e1
 .../accounts-session/accounts_logon_fail_delay.rule             | 2 ++
0cd8e1
 6 files changed, 12 insertions(+)
0cd8e1
0cd8e1
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule
0cd8e1
index 9d19274f1c..d8b29b6436 100644
0cd8e1
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule
0cd8e1
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule
0cd8e1
@@ -62,3 +62,5 @@ ocil: |-
0cd8e1
     to an appropriate integer as shown in the example below:
0cd8e1
     
$ grep "INACTIVE" /etc/default/useradd
0cd8e1
     INACTIVE=<sub idref="var_account_disable_post_pw_expiration" />
0cd8e1
+
0cd8e1
+platform: shadow-utils
0cd8e1
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule
0cd8e1
index 90dc1b4f2b..de322bc787 100644
0cd8e1
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule
0cd8e1
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule
0cd8e1
@@ -55,3 +55,5 @@ ocil: |-
0cd8e1
     
$ grep PASS_MAX_DAYS /etc/login.defs
0cd8e1
     The DoD and FISMA requirement is 60.
0cd8e1
     A value of 180 days is sufficient for many environments.
0cd8e1
+
0cd8e1
+platform: shadow-utils
0cd8e1
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule
0cd8e1
index 88706c8b3e..dd7030cd0a 100644
0cd8e1
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule
0cd8e1
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule
0cd8e1
@@ -49,3 +49,5 @@ ocil_clause: 'it is not equal to or greater than the required value'
0cd8e1
 ocil: |-
0cd8e1
     To check the minimum password age, run the command:
0cd8e1
     
$ grep PASS_MIN_DAYS /etc/login.defs
0cd8e1
+
0cd8e1
+platform: shadow-utils
0cd8e1
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule
0cd8e1
index 814fda94b9..d38ee253fb 100644
0cd8e1
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule
0cd8e1
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule
0cd8e1
@@ -51,3 +51,5 @@ ocil: |-
0cd8e1
     To check the minimum password length, run the command:
0cd8e1
     
$ grep PASS_MIN_LEN /etc/login.defs
0cd8e1
     The DoD requirement is <tt>15</tt>.
0cd8e1
+
0cd8e1
+platform: shadow-utils
0cd8e1
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule
0cd8e1
index d8947ad9fd..85b5cd762f 100644
0cd8e1
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule
0cd8e1
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule
0cd8e1
@@ -40,3 +40,5 @@ ocil: |-
0cd8e1
     To check the password warning age, run the command:
0cd8e1
     
$ grep PASS_WARN_AGE /etc/login.defs
0cd8e1
     The DoD requirement is 7.
0cd8e1
+
0cd8e1
+platform: shadow-utils
0cd8e1
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule
0cd8e1
index 171051e138..33fc873e97 100644
0cd8e1
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule
0cd8e1
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule
0cd8e1
@@ -37,3 +37,5 @@ ocil: |-
0cd8e1
     All output must show the value of <tt>FAIL_DELAY</tt> set as shown in the below:
0cd8e1
     
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
0cd8e1
     fail_delay <sub idref="var_accounts_fail_delay" />
0cd8e1
+
0cd8e1
+platform: shadow-utils
0cd8e1
0cd8e1
From 63ab7328a57c185734037a124eab2ab8ac740e82 Mon Sep 17 00:00:00 2001
0cd8e1
From: Watson Sato <wsato@redhat.com>
0cd8e1
Date: Wed, 3 Apr 2019 18:14:58 +0200
0cd8e1
Subject: [PATCH 3/3] Map shadow-utils platform to CPE name
0cd8e1
0cd8e1
---
0cd8e1
 ssg/constants.py | 3 ++-
0cd8e1
 1 file changed, 2 insertions(+), 1 deletion(-)
0cd8e1
0cd8e1
diff --git a/ssg/constants.py b/ssg/constants.py
0cd8e1
index b80382be3d..f96fd51790 100644
0cd8e1
--- a/ssg/constants.py
0cd8e1
+++ b/ssg/constants.py
0cd8e1
@@ -375,7 +375,8 @@
0cd8e1
 
0cd8e1
 XCCDF_PLATFORM_TO_CPE = {
0cd8e1
     "machine": "cpe:/a:machine",
0cd8e1
-    "container": "cpe:/a:container"
0cd8e1
+    "container": "cpe:/a:container",
0cd8e1
+    "shadow-utils": "cpe:/a:shadow-utils",
0cd8e1
 }
0cd8e1
 
0cd8e1
 # Application constants