Blame SOURCES/scap-security-guide-0.1.58-RHEL_08_020320-PR_7303.patch

362bfa
From d6f7334d642fb311d32d7a171c460cd05e6625b8 Mon Sep 17 00:00:00 2001
362bfa
From: Matthew Burket <mburket@redhat.com>
362bfa
Date: Fri, 6 Aug 2021 10:48:46 -0500
362bfa
Subject: [PATCH] Add rule for RHEL-08-020320
362bfa
362bfa
---
362bfa
 .../ansible/shared.yml                           |  0
362bfa
 .../bash/shared.sh                               |  2 +-
362bfa
 .../oval/shared.xml                              |  2 +-
362bfa
 .../accounts_authorized_local_users/rule.yml     | 12 +++++++++---
362bfa
 .../tests/bad_user.fail.sh                       |  2 ++
362bfa
 .../tests/default.pass.sh                        | 16 ++++++++++++++++
362bfa
 ...var_accounts_authorized_local_users_regex.var |  1 +
362bfa
 products/rhel8/profiles/stig.profile             |  3 ++-
362bfa
 shared/references/cce-redhat-avail.txt           |  1 -
362bfa
 tests/data/profile_stability/rhel8/stig.profile  |  2 ++
362bfa
 .../profile_stability/rhel8/stig_gui.profile     |  2 ++
362bfa
 11 files changed, 36 insertions(+), 7 deletions(-)
362bfa
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/ansible/shared.yml (100%)
362bfa
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/bash/shared.sh (95%)
362bfa
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/oval/shared.xml (98%)
362bfa
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/rule.yml (88%)
362bfa
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
362bfa
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
362bfa
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/var_accounts_authorized_local_users_regex.var (81%)
362bfa
362bfa
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml
362bfa
similarity index 100%
362bfa
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml
362bfa
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml
362bfa
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
362bfa
similarity index 95%
362bfa
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
362bfa
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
362bfa
index c342acf36d1..fedb02d84ce 100644
362bfa
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
362bfa
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
362bfa
@@ -10,7 +10,7 @@ default_os_user="root"
362bfa
 for username in $( sed 's/:.*//' /etc/passwd ) ; do
362bfa
 	if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
362bfa
         then
362bfa
-		userdel $username ; 
362bfa
+		userdel $username ;
362bfa
 	fi
362bfa
 done
362bfa
 
362bfa
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
362bfa
similarity index 98%
362bfa
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
362bfa
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
362bfa
index 4e42081d0dc..c56799ded20 100644
362bfa
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
362bfa
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
362bfa
@@ -32,6 +32,6 @@
362bfa
     var_ref="var_accounts_authorized_local_users_regex"></ind:subexpression>
362bfa
   </ind:textfilecontent54_state>
362bfa
 
362bfa
-  
362bfa
+  
362bfa
   comment="accounts authorized local users on operating system"/>
362bfa
 </def-group>
362bfa
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
362bfa
similarity index 88%
362bfa
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
362bfa
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
362bfa
index ddbda30afe6..e2311f6a5c3 100644
362bfa
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
362bfa
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
362bfa
@@ -1,6 +1,6 @@
362bfa
 documentation_complete: true
362bfa
 
362bfa
-prodtype: ol7,sle12,sle15
362bfa
+prodtype: ol7,sle12,sle15,fedora,rhel8
362bfa
 
362bfa
 title: 'Only Authorized Local User Accounts Exist on Operating System'
362bfa
 
362bfa
@@ -26,11 +26,10 @@ rationale: |-
362bfa
 severity: medium
362bfa
 
362bfa
 identifiers:
362bfa
+    cce@rhel8: CCE-85987-6
362bfa
     cce@sle12: CCE-83195-8
362bfa
     cce@sle15: CCE-85561-9
362bfa
 
362bfa
-severity: medium
362bfa
-
362bfa
 references:
362bfa
     disa: CCI-000366
362bfa
     nist@sle12: CM-6(b),CM-6.1(iv)
362bfa
@@ -41,6 +40,13 @@ references:
362bfa
 
362bfa
 ocil_clause: 'there are unauthorized local user accounts on the system'
362bfa
 
362bfa
+{{% if 'rhel' in product %}}
362bfa
+warnings:
362bfa
+    - general: |-
362bfa
+        Automatic remediation of this control is not available. Due the unique
362bfa
+        requirements of each system.
362bfa
+{{% endif %}}
362bfa
+
362bfa
 ocil: |-
362bfa
     To verify that there are no unauthorized local user accounts, run the following command:
362bfa
     
$ less /etc/passwd 
362bfa
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
362bfa
new file mode 100644
362bfa
index 00000000000..6dabaff6bc6
362bfa
--- /dev/null
362bfa
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
362bfa
@@ -0,0 +1,2 @@
362bfa
+#! /bin/bash
362bfa
+adduser testuser
362bfa
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
362bfa
new file mode 100644
362bfa
index 00000000000..d942f81d04f
362bfa
--- /dev/null
362bfa
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
362bfa
@@ -0,0 +1,16 @@
362bfa
+#! /bin/bash
362bfa
+# platform = multi_platform_rhel
362bfa
+
362bfa
+var_accounts_authorized_local_users_regex="^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
362bfa
+
362bfa
+# never delete the root user
362bfa
+default_os_user="root"
362bfa
+
362bfa
+# delete users that is in /etc/passwd but neither in default_os_user
362bfa
+# nor in var_accounts_authorized_local_users_regex
362bfa
+for username in $( sed 's/:.*//' /etc/passwd ) ; do
362bfa
+	if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
362bfa
+        then
362bfa
+		echo $username ;
362bfa
+	fi
362bfa
+done
362bfa
diff --git a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
362bfa
similarity index 81%
362bfa
rename from linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var
362bfa
rename to linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
362bfa
index 81626307321..2f456764617 100644
362bfa
--- a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var
362bfa
+++ b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
362bfa
@@ -22,5 +22,6 @@ operator: pattern match
362bfa
 interactive: true
362bfa
 
362bfa
 options:
362bfa
+    rhel8: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
362bfa
     ol7forsap: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
362bfa
     saponol7 : "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$"
362bfa
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
362bfa
index f66b2a24a75..ec2929e8dc4 100644
362bfa
--- a/products/rhel8/profiles/stig.profile
362bfa
+++ b/products/rhel8/profiles/stig.profile
362bfa
@@ -54,6 +54,7 @@ selections:
362bfa
     - sshd_approved_macs=stig
362bfa
     - sshd_approved_ciphers=stig
362bfa
     - sshd_idle_timeout_value=10_minutes
362bfa
+    - var_accounts_authorized_local_users_regex=rhel8
362bfa
     - var_accounts_passwords_pam_faillock_deny=3
362bfa
     - var_accounts_passwords_pam_faillock_fail_interval=900
362bfa
     - var_accounts_passwords_pam_faillock_unlock_time=never
362bfa
@@ -576,7 +577,7 @@ selections:
362bfa
     - accounts_logon_fail_delay
362bfa
 
362bfa
     # RHEL-08-020320
362bfa
-    # - accounts_authorized_local_users
362bfa
+    - accounts_authorized_local_users
362bfa
 
362bfa
     # RHEL-08-020330
362bfa
     - sshd_disable_empty_passwords
362bfa
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
362bfa
index 1d54e8ec15f..3047c2d9b92 100644
362bfa
--- a/shared/references/cce-redhat-avail.txt
362bfa
+++ b/shared/references/cce-redhat-avail.txt
362bfa
@@ -115,7 +115,6 @@ CCE-85983-5
362bfa
 CCE-85984-3
362bfa
 CCE-85985-0
362bfa
 CCE-85986-8
362bfa
-CCE-85987-6
362bfa
 CCE-85988-4
362bfa
 CCE-85989-2
362bfa
 CCE-85990-0
362bfa
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
362bfa
index fcae79f6d88..9496f1e1d1d 100644
362bfa
--- a/tests/data/profile_stability/rhel8/stig.profile
362bfa
+++ b/tests/data/profile_stability/rhel8/stig.profile
362bfa
@@ -27,6 +27,7 @@ selections:
362bfa
 - account_emergency_expire_date
362bfa
 - account_temp_expire_date
362bfa
 - account_unique_id
362bfa
+- accounts_authorized_local_users
362bfa
 - accounts_have_homedir_login_defs
362bfa
 - accounts_logon_fail_delay
362bfa
 - accounts_max_concurrent_login_sessions
362bfa
@@ -358,6 +359,7 @@ selections:
362bfa
 - var_auditd_disk_error_action=halt
362bfa
 - var_auditd_max_log_file_action=syslog
362bfa
 - var_auditd_disk_full_action=halt
362bfa
+- var_accounts_authorized_local_users_regex=rhel8
362bfa
 - var_system_crypto_policy=fips
362bfa
 - var_sudo_timestamp_timeout=always_prompt
362bfa
 title: DISA STIG for Red Hat Enterprise Linux 8
362bfa
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
362bfa
index 2bbd1881f51..9e0c648a5f8 100644
362bfa
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
362bfa
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
362bfa
@@ -38,6 +38,7 @@ selections:
362bfa
 - account_emergency_expire_date
362bfa
 - account_temp_expire_date
362bfa
 - account_unique_id
362bfa
+- accounts_authorized_local_users
362bfa
 - accounts_have_homedir_login_defs
362bfa
 - accounts_logon_fail_delay
362bfa
 - accounts_max_concurrent_login_sessions
362bfa
@@ -368,6 +369,7 @@ selections:
362bfa
 - var_auditd_disk_error_action=halt
362bfa
 - var_auditd_max_log_file_action=syslog
362bfa
 - var_auditd_disk_full_action=halt
362bfa
+- var_accounts_authorized_local_users_regex=rhel8
362bfa
 - var_system_crypto_policy=fips
362bfa
 - var_sudo_timestamp_timeout=always_prompt
362bfa
 title: DISA STIG with GUI for Red Hat Enterprise Linux 8