Blame SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch

c99e83
From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
c99e83
From: Vojtech Polasek <vpolasek@redhat.com>
c99e83
Date: Thu, 21 May 2020 13:30:24 +0200
c99e83
Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
c99e83
c99e83
---
c99e83
 .../root_logins/no_direct_root_logins/ansible/shared.yml    | 6 +-----
c99e83
 1 file changed, 1 insertion(+), 5 deletions(-)
c99e83
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
c99e83
index e9a29a24d5..6fbb7c72a5 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
c99e83
@@ -3,13 +3,9 @@
c99e83
 # strategy = restrict
c99e83
 # complexity = low
c99e83
 # disruption = low
c99e83
-- name: Test for existence of /etc/securetty
c99e83
-  stat:
c99e83
-    path: /etc/securetty
c99e83
-  register: securetty_empty
c99e83
+
c99e83
 
c99e83
 - name: "Direct root Logins Not Allowed"
c99e83
   copy:
c99e83
     dest: /etc/securetty
c99e83
     content: ""
c99e83
-  when: securetty_empty.stat.size > 1
c99e83
c99e83
From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
c99e83
From: Vojtech Polasek <vpolasek@redhat.com>
c99e83
Date: Thu, 21 May 2020 14:21:38 +0200
c99e83
Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
c99e83
c99e83
---
c99e83
 shared/templates/template_ANSIBLE_sebool | 8 +++++++-
c99e83
 1 file changed, 7 insertions(+), 1 deletion(-)
c99e83
c99e83
diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
c99e83
index 29f37081be..38d7c7c350 100644
c99e83
--- a/shared/templates/template_ANSIBLE_sebool
c99e83
+++ b/shared/templates/template_ANSIBLE_sebool
c99e83
@@ -13,11 +13,17 @@
c99e83
 {{% else %}}
c99e83
 - (xccdf-var var_{{{ SEBOOLID }}})
c99e83
 
c99e83
+{{% if product == "rhel8" %}}
c99e83
+- name: Ensure python3-libsemanage installed
c99e83
+  package:
c99e83
+    name: python3-libsemanage
c99e83
+    state: present
c99e83
+{{% else %}}
c99e83
 - name: Ensure libsemanage-python installed
c99e83
   package:
c99e83
     name: libsemanage-python
c99e83
     state: present
c99e83
-
c99e83
+{{% endif %}}
c99e83
 - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
c99e83
   seboolean:
c99e83
     name: {{{ SEBOOLID }}}
c99e83
c99e83
From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
c99e83
From: Vojtech Polasek <vpolasek@redhat.com>
c99e83
Date: Thu, 21 May 2020 14:57:05 +0200
c99e83
Subject: [PATCH 3/3] add tests for no_direct_root_logins
c99e83
c99e83
---
c99e83
 .../root_logins/no_direct_root_logins/tests/correct.pass.sh    | 3 +++
c99e83
 .../root_logins/no_direct_root_logins/tests/missing.fail.sh    | 3 +++
c99e83
 .../root_logins/no_direct_root_logins/tests/wrong.fail.sh      | 3 +++
c99e83
 3 files changed, 9 insertions(+)
c99e83
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
c99e83
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
c99e83
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
c99e83
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
c99e83
new file mode 100644
c99e83
index 0000000000..17251f6a98
c99e83
--- /dev/null
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
c99e83
@@ -0,0 +1,3 @@
c99e83
+#!/bin/bash
c99e83
+
c99e83
+echo > /etc/securetty
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
c99e83
new file mode 100644
c99e83
index 0000000000..c764814b26
c99e83
--- /dev/null
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
c99e83
@@ -0,0 +1,3 @@
c99e83
+#!/bin/bash
c99e83
+
c99e83
+rm -f /etc/securetty
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
c99e83
new file mode 100644
c99e83
index 0000000000..43ac341e87
c99e83
--- /dev/null
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
c99e83
@@ -0,0 +1,3 @@
c99e83
+#!/bin/bash
c99e83
+
c99e83
+echo "something" > /etc/securetty