Blame SOURCES/scap-security-guide-0.1.58-add_RHEL_08_020240-PR_7330.patch

76240a
From 3d24d93e200f53f3845fffbc8764b8e48517c7b2 Mon Sep 17 00:00:00 2001
76240a
From: Gabriel Becker <ggasparb@redhat.com>
76240a
Date: Wed, 4 Aug 2021 16:57:50 +0200
76240a
Subject: [PATCH] Assign RHEL-08-020240 to account_unique_id and add test
76240a
 scenarios.
76240a
76240a
---
76240a
 .../accounts-restrictions/account_unique_id/oval/shared.xml  | 2 +-
76240a
 .../accounts-restrictions/account_unique_id/rule.yml         | 4 +++-
76240a
 .../account_unique_id/tests/correct_value.pass.sh            | 2 ++
76240a
 .../account_unique_id/tests/wrong_value.fail.sh              | 5 +++++
76240a
 products/rhel8/profiles/stig.profile                         | 1 +
76240a
 shared/references/cce-redhat-avail.txt                       | 1 -
76240a
 tests/data/profile_stability/rhel8/stig.profile              | 1 +
76240a
 tests/data/profile_stability/rhel8/stig_gui.profile          | 1 +
76240a
 8 files changed, 14 insertions(+), 3 deletions(-)
76240a
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh
76240a
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh
76240a
76240a
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml
76240a
index be45c518115..491ad4587ee 100644
76240a
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml
76240a
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml
76240a
@@ -7,7 +7,7 @@
76240a
 
76240a
   </definition>
76240a
 
76240a
-  
76240a
+  
76240a
   <unix:password_object id="obj_all_uids" version="1">
76240a
     <unix:username operation="pattern match">.*</unix:username>
76240a
   </unix:password_object>
76240a
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
76240a
index 731632f7f5a..e55901dbdc5 100644
76240a
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
76240a
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
76240a
@@ -12,6 +12,7 @@ severity: medium
76240a
 
76240a
 identifiers:
76240a
     cce@rhel7: CCE-85857-1
76240a
+    cce@rhel8: CCE-89903-9
76240a
     cce@sle12: CCE-83196-6
76240a
     cce@sle15: CCE-83277-4
76240a
 
76240a
@@ -19,7 +20,8 @@ references:
76240a
     cis@rhel7: 6.2.7
76240a
     disa: CCI-000764,CCI-000804
76240a
     nist@sle12: IA-2,IA-2.1,IA-8,IA-8.1
76240a
-    srg: SRG-OS-000104-GPOS-00051,SRG-OS-000121-GPOS-00062
76240a
+    srg: SRG-OS-000104-GPOS-00051,SRG-OS-000121-GPOS-00062,SRG-OS-000042-GPOS-00020
76240a
+    stigid@rhel8: RHEL-08-020240
76240a
     stigid@sle12: SLES-12-010640
76240a
     stigid@sle15: SLES-15-010230
76240a
 
76240a
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh
76240a
new file mode 100644
76240a
index 00000000000..645c46eb847
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh
76240a
@@ -0,0 +1,2 @@
76240a
+#!/bin/bash
76240a
+# remediation = none
76240a
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh
76240a
new file mode 100644
76240a
index 00000000000..cc7f2215041
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh
76240a
@@ -0,0 +1,5 @@
76240a
+#!/bin/bash
76240a
+# remediation = none
76240a
+
76240a
+echo "test_user:x:30090:30090:Test User:/home/test_user:/usr/bin/bash" >> /etc/passwd
76240a
+echo "test_user_2:x:30090:30090:Test User 2:/home/test_user_2:/usr/bin/bash" >> /etc/passwd
76240a
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
76240a
index ec0a3b17537..bdddfef846f 100644
76240a
--- a/products/rhel8/profiles/stig.profile
76240a
+++ b/products/rhel8/profiles/stig.profile
76240a
@@ -552,6 +552,7 @@ selections:
76240a
     - accounts_password_minlen_login_defs
76240a
 
76240a
     # RHEL-08-020240
76240a
+    - account_unique_id
76240a
 
76240a
     # RHEL-08-020250
76240a
     - sssd_enable_smartcards
76240a
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
76240a
index 61384c108a0..1d54e8ec15f 100644
76240a
--- a/shared/references/cce-redhat-avail.txt
76240a
+++ b/shared/references/cce-redhat-avail.txt
76240a
@@ -3969,7 +3969,6 @@ CCE-89899-9
76240a
 CCE-89900-5
76240a
 CCE-89901-3
76240a
 CCE-89902-1
76240a
-CCE-89903-9
76240a
 CCE-89904-7
76240a
 CCE-89905-4
76240a
 CCE-89906-2
76240a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
76240a
index bffa509b698..71dd6330a16 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig.profile
76240a
@@ -26,6 +26,7 @@ selections:
76240a
 - account_disable_post_pw_expiration
76240a
 - account_emergency_expire_date
76240a
 - account_temp_expire_date
76240a
+- account_unique_id
76240a
 - accounts_have_homedir_login_defs
76240a
 - accounts_logon_fail_delay
76240a
 - accounts_max_concurrent_login_sessions
76240a
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
index c84ac75c7bf..3e788b27bac 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
@@ -37,6 +37,7 @@ selections:
76240a
 - account_disable_post_pw_expiration
76240a
 - account_emergency_expire_date
76240a
 - account_temp_expire_date
76240a
+- account_unique_id
76240a
 - accounts_have_homedir_login_defs
76240a
 - accounts_logon_fail_delay
76240a
 - accounts_max_concurrent_login_sessions