|
 |
abb996 |
From 089c47d6301bb53bb182cbdacf72968979547994 Mon Sep 17 00:00:00 2001
|
|
|
abb996 |
From: Matej Tyc <matyc@redhat.com>
|
|
|
abb996 |
Date: Fri, 30 Jul 2021 16:57:13 +0200
|
|
|
abb996 |
Subject: [PATCH 1/5] Enable more RHEL9 content
|
|
|
abb996 |
|
|
|
abb996 |
---
|
|
|
abb996 |
.../ssh/ssh_client/ssh_client_rekey_limit/rule.yml | 3 ++-
|
|
|
abb996 |
.../disable_ctrlaltdel_burstaction/bash/shared.sh | 2 +-
|
|
|
abb996 |
.../disable_ctrlaltdel_reboot/bash/shared.sh | 4 ----
|
|
|
abb996 |
.../smart_card_login/package_pcsc-lite_installed/rule.yml | 3 ++-
|
|
|
abb996 |
.../smart_card_login/service_pcscd_enabled/rule.yml | 3 ++-
|
|
|
abb996 |
.../root_logins/use_pam_wheel_for_su/rule.yml | 3 ++-
|
|
|
abb996 |
.../user_umask/accounts_umask_etc_csh_cshrc/rule.yml | 3 ++-
|
|
|
abb996 |
.../installed_OS_is_FIPS_certified/oval/shared.xml | 1 +
|
|
|
abb996 |
.../rule.yml | 3 ++-
|
|
|
abb996 |
products/rhel9/profiles/hipaa.profile | 6 +++---
|
|
|
abb996 |
products/rhel9/profiles/ospp.profile | 8 ++++----
|
|
|
abb996 |
products/rhel9/profiles/pci-dss.profile | 4 ++--
|
|
|
abb996 |
shared/references/cce-redhat-avail.txt | 6 ------
|
|
|
abb996 |
13 files changed, 23 insertions(+), 26 deletions(-)
|
|
|
abb996 |
|
|
|
abb996 |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
|
|
|
abb996 |
index f43f92c2f15..c0fbe2c5e34 100644
|
|
|
abb996 |
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
|
|
|
abb996 |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
|
|
|
abb996 |
@@ -1,6 +1,6 @@
|
|
|
abb996 |
documentation_complete: true
|
|
|
abb996 |
|
|
|
abb996 |
-prodtype: ol8,rhel8,rhcos4
|
|
|
abb996 |
+prodtype: ol8,rhel8,rhel9,rhcos4
|
|
|
abb996 |
|
|
|
abb996 |
title: 'Configure session renegotiation for SSH client'
|
|
|
abb996 |
|
|
|
abb996 |
@@ -27,6 +27,7 @@ severity: medium
|
|
|
abb996 |
|
|
|
abb996 |
identifiers:
|
|
|
abb996 |
cce@rhel8: CCE-82880-6
|
|
|
abb996 |
+ cce@rhel9: CCE-87522-9
|
|
|
abb996 |
|
|
|
abb996 |
references:
|
|
|
abb996 |
disa: CCI-000068
|
|
|
abb996 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
|
|
|
abb996 |
index 7d4faedfb47..d8063726fb4 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
|
|
|
abb996 |
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
|
|
|
abb996 |
@@ -1,4 +1,4 @@
|
|
|
abb996 |
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
|
|
|
abb996 |
+# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
|
|
|
abb996 |
|
|
|
abb996 |
# Include source function library.
|
|
|
abb996 |
. /usr/share/scap-security-guide/remediation_functions
|
|
|
abb996 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
|
|
|
abb996 |
index 94767ad5993..4cbf5c84651 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
|
|
|
abb996 |
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
|
|
|
abb996 |
@@ -1,9 +1,5 @@
|
|
|
abb996 |
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
|
|
|
abb996 |
{{%- if init_system == "systemd" -%}}
|
|
|
abb996 |
-{{% if product in ["rhel7", "rhel8"] %}}
|
|
|
abb996 |
-# The process to disable ctrl+alt+del has changed in RHEL7.
|
|
|
abb996 |
-# Reference: https://access.redhat.com/solutions/1123873
|
|
|
abb996 |
-{{% endif %}}
|
|
|
abb996 |
systemctl disable --now ctrl-alt-del.target
|
|
|
abb996 |
systemctl mask --now ctrl-alt-del.target
|
|
|
abb996 |
{{%- else -%}}
|
|
|
abb996 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
|
|
|
abb996 |
index 0652fbeadaf..9c6534cf401 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
|
|
|
abb996 |
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
|
|
|
abb996 |
@@ -1,6 +1,6 @@
|
|
|
abb996 |
documentation_complete: true
|
|
|
abb996 |
|
|
|
abb996 |
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
|
|
|
abb996 |
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
|
|
|
abb996 |
|
|
|
abb996 |
title: 'Install the pcsc-lite package'
|
|
|
abb996 |
|
|
|
abb996 |
@@ -16,6 +16,7 @@ severity: medium
|
|
|
abb996 |
identifiers:
|
|
|
abb996 |
cce@rhel7: CCE-82347-6
|
|
|
abb996 |
cce@rhel8: CCE-80993-9
|
|
|
abb996 |
+ cce@rhel9: CCE-86280-5
|
|
|
abb996 |
|
|
|
abb996 |
references:
|
|
|
abb996 |
disa: CCI-001954
|
|
|
abb996 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
|
|
|
abb996 |
index e14db48c22a..6472ade5791 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
|
|
|
abb996 |
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
|
|
|
abb996 |
@@ -1,6 +1,6 @@
|
|
|
abb996 |
documentation_complete: true
|
|
|
abb996 |
|
|
|
abb996 |
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
|
|
|
abb996 |
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
|
|
|
abb996 |
|
|
|
abb996 |
title: 'Enable the pcscd Service'
|
|
|
abb996 |
|
|
|
abb996 |
@@ -24,6 +24,7 @@ severity: medium
|
|
|
abb996 |
identifiers:
|
|
|
abb996 |
cce@rhel7: CCE-80569-7
|
|
|
abb996 |
cce@rhel8: CCE-80881-6
|
|
|
abb996 |
+ cce@rhel9: CCE-87907-2
|
|
|
abb996 |
|
|
|
abb996 |
references:
|
|
|
abb996 |
disa: CCI-001954
|
|
|
abb996 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
|
abb996 |
index a6862c2af25..984a8cf333e 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
|
abb996 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
|
abb996 |
@@ -1,6 +1,6 @@
|
|
|
abb996 |
documentation_complete: true
|
|
|
abb996 |
|
|
|
abb996 |
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,ubuntu2004
|
|
|
abb996 |
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
|
|
|
abb996 |
|
|
|
abb996 |
title: 'Enforce usage of pam_wheel for su authentication'
|
|
|
abb996 |
|
|
|
abb996 |
@@ -20,6 +20,7 @@ severity: medium
|
|
|
abb996 |
identifiers:
|
|
|
abb996 |
cce@rhel7: CCE-85855-5
|
|
|
abb996 |
cce@rhel8: CCE-83318-6
|
|
|
abb996 |
+ cce@rhel9: CCE-90085-2
|
|
|
abb996 |
|
|
|
abb996 |
references:
|
|
|
abb996 |
cis@rhel7: "5.7"
|
|
|
abb996 |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
|
|
|
abb996 |
index 1b71c7d3acd..3779b396b4e 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
|
|
|
abb996 |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
|
|
|
abb996 |
@@ -1,6 +1,6 @@
|
|
|
abb996 |
documentation_complete: true
|
|
|
abb996 |
|
|
|
abb996 |
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,sle15,ubuntu2004
|
|
|
abb996 |
+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15,ubuntu2004
|
|
|
abb996 |
|
|
|
abb996 |
title: 'Ensure the Default C Shell Umask is Set Correctly'
|
|
|
abb996 |
|
|
|
abb996 |
@@ -20,6 +20,7 @@ identifiers:
|
|
|
abb996 |
cce@rhcos4: CCE-84261-7
|
|
|
abb996 |
cce@rhel7: CCE-80203-3
|
|
|
abb996 |
cce@rhel8: CCE-81037-4
|
|
|
abb996 |
+ cce@rhel9: CCE-87721-7
|
|
|
abb996 |
|
|
|
abb996 |
references:
|
|
|
abb996 |
cis-csc: '18'
|
|
|
abb996 |
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
|
|
|
abb996 |
index a65bec7348c..3a4847ff9d8 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
|
|
|
abb996 |
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
|
|
|
abb996 |
@@ -6,6 +6,7 @@
|
|
|
abb996 |
<criteria comment="Installed operating system is a certified operating system" operator="OR">
|
|
|
abb996 |
<extend_definition comment="Installed OS is RHEL7" definition_ref="installed_OS_is_rhel7" />
|
|
|
abb996 |
<extend_definition comment="Installed OS is RHEL8" definition_ref="installed_OS_is_rhel8" />
|
|
|
abb996 |
+
|
|
|
abb996 |
<extend_definition comment="Installed OS is RHCOS4" definition_ref="installed_OS_is_rhcos4" />
|
|
|
abb996 |
<extend_definition comment="Installed OS is OL7" definition_ref="installed_OS_is_ol7_family" />
|
|
|
abb996 |
<extend_definition comment="Installed OS is SLE12" definition_ref="installed_OS_is_sle12" />
|
|
|
abb996 |
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
|
|
abb996 |
index 8b6577226fb..4f49b3b825d 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
|
|
abb996 |
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
|
|
abb996 |
@@ -1,6 +1,6 @@
|
|
|
abb996 |
documentation_complete: true
|
|
|
abb996 |
|
|
|
abb996 |
-prodtype: rhel8
|
|
|
abb996 |
+prodtype: rhel8,rhel9
|
|
|
abb996 |
|
|
|
abb996 |
title: 'Install dnf-plugin-subscription-manager Package'
|
|
|
abb996 |
|
|
|
abb996 |
@@ -17,6 +17,7 @@ severity: medium
|
|
|
abb996 |
|
|
|
abb996 |
identifiers:
|
|
|
abb996 |
cce@rhel8: CCE-82315-3
|
|
|
abb996 |
+ cce@rhel9: CCE-89879-1
|
|
|
abb996 |
|
|
|
abb996 |
references:
|
|
|
abb996 |
ism: 0940,1144,1467,1472,1483,1493,1494,1495
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
|
|
|
abb996 |
index 1e0ea047b98..797c62708e2 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/hipaa.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/hipaa.profile
|
|
|
abb996 |
@@ -33,9 +33,9 @@ selections:
|
|
|
abb996 |
- require_singleuser_auth
|
|
|
abb996 |
- restrict_serial_port_logins
|
|
|
abb996 |
- securetty_root_login_console_only
|
|
|
abb996 |
- - service_debug-shell_disabled # not supported in RHEL9 ATM
|
|
|
abb996 |
- - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
|
|
|
abb996 |
- - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM
|
|
|
abb996 |
+ - service_debug-shell_disabled
|
|
|
abb996 |
+ - disable_ctrlaltdel_reboot
|
|
|
abb996 |
+ - disable_ctrlaltdel_burstaction
|
|
|
abb996 |
- dconf_db_up_to_date
|
|
|
abb996 |
- dconf_gnome_remote_access_credential_prompt
|
|
|
abb996 |
- dconf_gnome_remote_access_encryption
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
|
|
abb996 |
index 0ae391c60bf..adec0cbd774 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/ospp.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/ospp.profile
|
|
|
abb996 |
@@ -107,7 +107,7 @@ selections:
|
|
|
abb996 |
- var_accounts_user_umask=027
|
|
|
abb996 |
- accounts_umask_etc_profile
|
|
|
abb996 |
- accounts_umask_etc_bashrc
|
|
|
abb996 |
-# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM
|
|
|
abb996 |
+ - accounts_umask_etc_csh_cshrc
|
|
|
abb996 |
|
|
|
abb996 |
### Software update
|
|
|
abb996 |
- ensure_redhat_gpgkey_installed
|
|
|
abb996 |
@@ -177,7 +177,7 @@ selections:
|
|
|
abb996 |
- package_aide_installed
|
|
|
abb996 |
- package_dnf-automatic_installed
|
|
|
abb996 |
- package_subscription-manager_installed
|
|
|
abb996 |
-# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM
|
|
|
abb996 |
+ - package_dnf-plugin-subscription-manager_installed
|
|
|
abb996 |
- package_firewalld_installed
|
|
|
abb996 |
- package_openscap-scanner_installed
|
|
|
abb996 |
- package_policycoreutils_installed
|
|
|
abb996 |
@@ -221,7 +221,7 @@ selections:
|
|
|
abb996 |
- securetty_root_login_console_only
|
|
|
abb996 |
- var_password_pam_unix_remember=5
|
|
|
abb996 |
- accounts_password_pam_unix_remember
|
|
|
abb996 |
-# - use_pam_wheel_for_su # not supported in RHEL9 ATM
|
|
|
abb996 |
+ - use_pam_wheel_for_su
|
|
|
abb996 |
|
|
|
abb996 |
### SELinux Configuration
|
|
|
abb996 |
- var_selinux_state=enforcing
|
|
|
abb996 |
@@ -422,7 +422,7 @@ selections:
|
|
|
abb996 |
- kerberos_disable_no_keytab
|
|
|
abb996 |
|
|
|
abb996 |
# set ssh client rekey limit
|
|
|
abb996 |
-# - ssh_client_rekey_limit # not supported in RHEL9 ATM
|
|
|
abb996 |
+ - ssh_client_rekey_limit
|
|
|
abb996 |
- var_ssh_client_rekey_limit_size=1G
|
|
|
abb996 |
- var_ssh_client_rekey_limit_time=1hour
|
|
|
abb996 |
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
|
|
|
abb996 |
index af347501989..1fe85d39ae0 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/pci-dss.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/pci-dss.profile
|
|
|
abb996 |
@@ -121,8 +121,8 @@ selections:
|
|
|
abb996 |
- var_smartcard_drivers=cac
|
|
|
abb996 |
- configure_opensc_card_drivers
|
|
|
abb996 |
- force_opensc_card_drivers
|
|
|
abb996 |
-# - package_pcsc-lite_installed # not supported in RHEL9 ATM
|
|
|
abb996 |
-# - service_pcscd_enabled # not supported in RHEL9 ATM
|
|
|
abb996 |
+ - package_pcsc-lite_installed
|
|
|
abb996 |
+ - service_pcscd_enabled
|
|
|
abb996 |
- sssd_enable_smartcards
|
|
|
abb996 |
- set_password_hashing_algorithm_systemauth
|
|
|
abb996 |
- set_password_hashing_algorithm_logindefs
|
|
|
abb996 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
abb996 |
index aa0b30da834..e78838a45aa 100644
|
|
|
abb996 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
abb996 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
abb996 |
@@ -396,7 +396,6 @@ CCE-86276-3
|
|
|
abb996 |
CCE-86277-1
|
|
|
abb996 |
CCE-86278-9
|
|
|
abb996 |
CCE-86279-7
|
|
|
abb996 |
-CCE-86280-5
|
|
|
abb996 |
CCE-86281-3
|
|
|
abb996 |
CCE-86282-1
|
|
|
abb996 |
CCE-86283-9
|
|
|
abb996 |
@@ -1618,7 +1617,6 @@ CCE-87518-7
|
|
|
abb996 |
CCE-87519-5
|
|
|
abb996 |
CCE-87520-3
|
|
|
abb996 |
CCE-87521-1
|
|
|
abb996 |
-CCE-87522-9
|
|
|
abb996 |
CCE-87523-7
|
|
|
abb996 |
CCE-87525-2
|
|
|
abb996 |
CCE-87526-0
|
|
|
abb996 |
@@ -1812,7 +1810,6 @@ CCE-87717-5
|
|
|
abb996 |
CCE-87718-3
|
|
|
abb996 |
CCE-87719-1
|
|
|
abb996 |
CCE-87720-9
|
|
|
abb996 |
-CCE-87721-7
|
|
|
abb996 |
CCE-87722-5
|
|
|
abb996 |
CCE-87723-3
|
|
|
abb996 |
CCE-87724-1
|
|
|
abb996 |
@@ -1994,7 +1991,6 @@ CCE-87903-1
|
|
|
abb996 |
CCE-87904-9
|
|
|
abb996 |
CCE-87905-6
|
|
|
abb996 |
CCE-87906-4
|
|
|
abb996 |
-CCE-87907-2
|
|
|
abb996 |
CCE-87908-0
|
|
|
abb996 |
CCE-87909-8
|
|
|
abb996 |
CCE-87910-6
|
|
|
abb996 |
@@ -3932,7 +3928,6 @@ CCE-89874-2
|
|
|
abb996 |
CCE-89875-9
|
|
|
abb996 |
CCE-89877-5
|
|
|
abb996 |
CCE-89878-3
|
|
|
abb996 |
-CCE-89879-1
|
|
|
abb996 |
CCE-89880-9
|
|
|
abb996 |
CCE-89881-7
|
|
|
abb996 |
CCE-89882-5
|
|
|
abb996 |
@@ -4135,7 +4130,6 @@ CCE-90081-1
|
|
|
abb996 |
CCE-90082-9
|
|
|
abb996 |
CCE-90083-7
|
|
|
abb996 |
CCE-90084-5
|
|
|
abb996 |
-CCE-90085-2
|
|
|
abb996 |
CCE-90086-0
|
|
|
abb996 |
CCE-90087-8
|
|
|
abb996 |
CCE-90088-6
|
|
|
abb996 |
|
|
|
abb996 |
From 190cad8bc4ef957583b9e29c1508a1be43660388 Mon Sep 17 00:00:00 2001
|
|
|
abb996 |
From: Matej Tyc <matyc@redhat.com>
|
|
|
abb996 |
Date: Wed, 4 Aug 2021 16:30:45 +0200
|
|
|
abb996 |
Subject: [PATCH 2/5] Fix remediation platforms of RHEL9 rules
|
|
|
abb996 |
|
|
|
abb996 |
---
|
|
|
abb996 |
.../configure_bashrc_exec_tmux/bash/shared.sh | 2 +-
|
|
|
abb996 |
.../configure_tmux_lock_after_time/bash/shared.sh | 2 +-
|
|
|
abb996 |
.../configure_tmux_lock_command/bash/shared.sh | 2 +-
|
|
|
abb996 |
.../console_screen_locking/no_tmux_in_shells/bash/shared.sh | 2 +-
|
|
|
abb996 |
.../software/integrity/fips/enable_fips_mode/bash/shared.sh | 2 +-
|
|
|
abb996 |
5 files changed, 5 insertions(+), 5 deletions(-)
|
|
|
abb996 |
|
|
|
abb996 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
|
|
|
abb996 |
index 0c544bfbb82..737d725872d 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
|
|
|
abb996 |
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
|
|
|
abb996 |
@@ -1,4 +1,4 @@
|
|
|
abb996 |
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
|
|
|
abb996 |
+# platform = multi_platform_all
|
|
|
abb996 |
|
|
|
abb996 |
if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
|
|
|
abb996 |
cat >> /etc/bashrc <<'EOF'
|
|
|
abb996 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
|
|
|
abb996 |
index 233047afcbc..947e1dd7ee5 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
|
|
|
abb996 |
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
|
|
|
abb996 |
@@ -1,4 +1,4 @@
|
|
|
abb996 |
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
|
|
|
abb996 |
+# platform = multi_platform_all
|
|
|
abb996 |
|
|
|
abb996 |
tmux_conf="/etc/tmux.conf"
|
|
|
abb996 |
|
|
|
abb996 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
|
|
|
abb996 |
index f2430618ab3..0c11c1224e2 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
|
|
|
abb996 |
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
|
|
|
abb996 |
@@ -1,4 +1,4 @@
|
|
|
abb996 |
-# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora
|
|
|
abb996 |
+# platform = multi_platform_all
|
|
|
abb996 |
|
|
|
abb996 |
tmux_conf="/etc/tmux.conf"
|
|
|
abb996 |
|
|
|
abb996 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
|
|
|
abb996 |
index 45c43e8d374..60e0a7e34c8 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
|
|
|
abb996 |
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
|
|
|
abb996 |
@@ -1,4 +1,4 @@
|
|
|
abb996 |
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
|
|
|
abb996 |
+# platform = multi_platform_all
|
|
|
abb996 |
|
|
|
abb996 |
if grep -q 'tmux$' /etc/shells ; then
|
|
|
abb996 |
sed -i '/tmux$/d' /etc/shells
|
|
|
abb996 |
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
|
|
|
abb996 |
index 87476a7b315..c98847ded72 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
|
|
|
abb996 |
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
|
|
|
abb996 |
@@ -1,3 +1,3 @@
|
|
|
abb996 |
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
|
|
|
abb996 |
+# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
|
|
|
abb996 |
|
|
|
abb996 |
fips-mode-setup --enable
|
|
|
abb996 |
|
|
|
abb996 |
From 5b23f796b261325ad27b3c1684d3c9430a42679f Mon Sep 17 00:00:00 2001
|
|
|
abb996 |
From: Matej Tyc <matyc@redhat.com>
|
|
|
abb996 |
Date: Wed, 4 Aug 2021 17:56:57 +0200
|
|
|
abb996 |
Subject: [PATCH 3/5] Update the grub config path
|
|
|
abb996 |
|
|
|
abb996 |
RHEL9 and Fedora EFI/legacy grub paths have been unified:
|
|
|
abb996 |
https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
|
|
|
abb996 |
|
|
|
abb996 |
The location of Ubuntu EFI grub paths has been estimated from
|
|
|
abb996 |
https://askubuntu.com/questions/1028742/update-grub-does-not-update-boot-efi-efi-ubuntu-grub-cfg
|
|
|
abb996 |
|
|
|
abb996 |
Location of SLE EFI grub paths has been taken from existing rules
|
|
|
abb996 |
---
|
|
|
abb996 |
.../grub2_uefi_admin_username/oval/shared.xml | 16 ++++---------
|
|
|
abb996 |
.../uefi/grub2_uefi_admin_username/rule.yml | 2 +-
|
|
|
abb996 |
.../uefi/grub2_uefi_password/oval/shared.xml | 24 +++++++------------
|
|
|
abb996 |
.../uefi/grub2_uefi_password/rule.yml | 10 ++++----
|
|
|
abb996 |
.../uefi_no_removeable_media/oval/shared.xml | 16 ++++---------
|
|
|
abb996 |
products/fedora/product.yml | 2 ++
|
|
|
abb996 |
products/rhel7/product.yml | 2 ++
|
|
|
abb996 |
products/rhel8/product.yml | 2 ++
|
|
|
abb996 |
products/rhel9/product.yml | 2 ++
|
|
|
abb996 |
products/sle12/product.yml | 2 ++
|
|
|
abb996 |
products/sle15/product.yml | 1 +
|
|
|
abb996 |
products/ubuntu1604/product.yml | 1 +
|
|
|
abb996 |
products/ubuntu1804/product.yml | 1 +
|
|
|
abb996 |
products/ubuntu2004/product.yml | 1 +
|
|
|
abb996 |
ssg/constants.py | 1 +
|
|
|
abb996 |
ssg/products.py | 4 ++++
|
|
|
abb996 |
tests/shared/grub2.sh | 10 +++++---
|
|
|
abb996 |
17 files changed, 50 insertions(+), 47 deletions(-)
|
|
|
abb996 |
|
|
|
abb996 |
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
|
|
|
abb996 |
index 8545e8ab2c7..7950c15a848 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
|
|
|
abb996 |
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
|
|
|
abb996 |
@@ -1,26 +1,20 @@
|
|
|
abb996 |
-{{% if product == "fedora" %}}
|
|
|
abb996 |
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
|
|
|
abb996 |
-{{% else %}}
|
|
|
abb996 |
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
|
|
|
abb996 |
-{{% endif %}}
|
|
|
abb996 |
-
|
|
|
abb996 |
<def-group>
|
|
|
abb996 |
<definition class="compliance" id="grub2_uefi_admin_username" version="1">
|
|
|
abb996 |
{{{ oval_metadata("The grub2 boot loader superuser should have a username that is hard to guess.") }}}
|
|
|
abb996 |
|
|
|
abb996 |
<criteria operator="OR">
|
|
|
abb996 |
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
|
|
|
abb996 |
- <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
|
|
|
abb996 |
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
|
|
|
abb996 |
+ <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
|
|
|
abb996 |
</criteria>
|
|
|
abb996 |
</definition>
|
|
|
abb996 |
|
|
|
abb996 |
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
|
|
|
abb996 |
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
|
|
|
abb996 |
|
|
|
abb996 |
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
|
|
|
abb996 |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
|
|
|
abb996 |
<ind:object object_ref="object_bootloader_uefi_unique_superuser" />
|
|
|
abb996 |
</ind:textfilecontent54_test>
|
|
|
abb996 |
<ind:textfilecontent54_object id="object_bootloader_uefi_unique_superuser" version="1">
|
|
|
abb996 |
- <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
|
|
|
abb996 |
+ <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
|
|
|
abb996 |
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$</ind:pattern>
|
|
|
abb996 |
<ind:instance datatype="int">1</ind:instance>
|
|
|
abb996 |
</ind:textfilecontent54_object>
|
|
|
abb996 |
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
|
abb996 |
index 8a98cbdc95f..128d7cc1cb8 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
|
abb996 |
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
|
abb996 |
@@ -20,7 +20,7 @@ description: |-
|
|
|
abb996 |
Once the superuser account has been added,
|
|
|
abb996 |
update the
|
|
|
abb996 |
<tt>grub.cfg</tt> file by running:
|
|
|
abb996 |
- grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
|
|
|
abb996 |
+ grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
|
abb996 |
|
|
|
abb996 |
rationale: |-
|
|
|
abb996 |
Having a non-default grub superuser username makes password-guessing attacks less effective.
|
|
|
abb996 |
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
|
|
|
abb996 |
index 230aab73139..a67c8ad99bb 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
|
|
|
abb996 |
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
|
|
|
abb996 |
@@ -1,32 +1,26 @@
|
|
|
abb996 |
-{{% if product == "fedora" %}}
|
|
|
abb996 |
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
|
|
|
abb996 |
-{{% else %}}
|
|
|
abb996 |
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
|
|
|
abb996 |
-{{% endif %}}
|
|
|
abb996 |
-
|
|
|
abb996 |
<def-group>
|
|
|
abb996 |
<definition class="compliance" id="grub2_uefi_password" version="1">
|
|
|
abb996 |
{{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}}
|
|
|
abb996 |
|
|
|
abb996 |
<criteria operator="OR">
|
|
|
abb996 |
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
|
|
|
abb996 |
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
|
|
|
abb996 |
<criteria operator="AND">
|
|
|
abb996 |
<criteria comment="check both files to account for procedure change in documenation" operator="OR">
|
|
|
abb996 |
- <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
|
|
|
abb996 |
- <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
|
|
|
abb996 |
+ <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
|
|
|
abb996 |
+ <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
|
|
|
abb996 |
</criteria>
|
|
|
abb996 |
- <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
|
|
|
abb996 |
+ <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
|
|
|
abb996 |
</criteria>
|
|
|
abb996 |
</criteria>
|
|
|
abb996 |
</definition>
|
|
|
abb996 |
|
|
|
abb996 |
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
|
|
|
abb996 |
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
|
|
|
abb996 |
|
|
|
abb996 |
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
|
|
|
abb996 |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
|
|
|
abb996 |
<ind:object object_ref="object_bootloader_uefi_superuser" />
|
|
|
abb996 |
</ind:textfilecontent54_test>
|
|
|
abb996 |
<ind:textfilecontent54_object id="object_bootloader_uefi_superuser" version="2">
|
|
|
abb996 |
- <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
|
|
|
abb996 |
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
|
|
|
abb996 |
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$</ind:pattern>
|
|
|
abb996 |
<ind:instance datatype="int">1</ind:instance>
|
|
|
abb996 |
</ind:textfilecontent54_object>
|
|
|
abb996 |
@@ -35,7 +29,7 @@
|
|
|
abb996 |
<ind:object object_ref="object_grub2_uefi_password_usercfg" />
|
|
|
abb996 |
</ind:textfilecontent54_test>
|
|
|
abb996 |
<ind:textfilecontent54_object id="object_grub2_uefi_password_usercfg" version="1">
|
|
|
abb996 |
- <ind:filepath>{{{ grub_cfg_prefix }}}/user.cfg</ind:filepath>
|
|
|
abb996 |
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/user.cfg</ind:filepath>
|
|
|
abb996 |
<ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
|
|
|
abb996 |
<ind:instance datatype="int">1</ind:instance>
|
|
|
abb996 |
</ind:textfilecontent54_object>
|
|
|
abb996 |
@@ -44,7 +38,7 @@
|
|
|
abb996 |
<ind:object object_ref="object_grub2_uefi_password_grubcfg" />
|
|
|
abb996 |
</ind:textfilecontent54_test>
|
|
|
abb996 |
<ind:textfilecontent54_object id="object_grub2_uefi_password_grubcfg" version="1">
|
|
|
abb996 |
- <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
|
|
|
abb996 |
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
|
|
|
abb996 |
<ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
|
|
|
abb996 |
<ind:instance datatype="int">1</ind:instance>
|
|
|
abb996 |
</ind:textfilecontent54_object>
|
|
|
abb996 |
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
|
abb996 |
index cb0d60c3ddf..cc68441e5ad 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
|
abb996 |
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
|
abb996 |
@@ -31,10 +31,8 @@ description: |-
|
|
|
abb996 |
<tt>grub.cfg</tt> file by running:
|
|
|
abb996 |
{{% if "ubuntu" in product %}}
|
|
|
abb996 |
update-grub
|
|
|
abb996 |
- {{% elif product in ["sle12", "sle15"] %}}
|
|
|
abb996 |
- grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg
|
|
|
abb996 |
{{% else %}}
|
|
|
abb996 |
- grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
|
|
|
abb996 |
+ grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
|
abb996 |
{{% endif %}}
|
|
|
abb996 |
|
|
|
abb996 |
rationale: |-
|
|
|
abb996 |
@@ -91,18 +89,18 @@ ocil: |-
|
|
|
abb996 |
To verify the boot loader superuser account password has been set,
|
|
|
abb996 |
and the password encrypted, run the following command:
|
|
|
abb996 |
{{% if product in ["sle12", "sle15"] %}}
|
|
|
abb996 |
- sudo cat /boot/efi/EFI/sles/grub.cfg
|
|
|
abb996 |
+ sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
|
abb996 |
The output should be similar to:
|
|
|
abb996 |
password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
|
|
|
abb996 |
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
|
|
|
abb996 |
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
|
|
|
abb996 |
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
|
|
|
abb996 |
{{% elif "ubuntu" in product %}}
|
|
|
abb996 |
- grep -i password /boot/grub/grub.cfg
|
|
|
abb996 |
+ grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
|
abb996 |
The output should contain something similar to:
|
|
|
abb996 |
password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG
|
|
|
abb996 |
{{% else %}}
|
|
|
abb996 |
- sudo cat /boot/efi/EFI/redhat/user.cfg
|
|
|
abb996 |
+ sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg
|
|
|
abb996 |
The output should be similar to:
|
|
|
abb996 |
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
|
|
|
abb996 |
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
|
|
|
abb996 |
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
|
|
|
abb996 |
index 72872d907e3..89a9fae86ec 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
|
|
|
abb996 |
+++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
|
|
|
abb996 |
@@ -1,27 +1,21 @@
|
|
|
abb996 |
-{{% if product == "fedora" %}}
|
|
|
abb996 |
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
|
|
|
abb996 |
-{{% else %}}
|
|
|
abb996 |
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
|
|
|
abb996 |
-{{% endif %}}
|
|
|
abb996 |
-
|
|
|
abb996 |
<def-group>
|
|
|
abb996 |
<definition class="compliance" id="uefi_no_removeable_media" version="1">
|
|
|
abb996 |
{{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
|
|
|
abb996 |
<criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
|
|
|
abb996 |
- <criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
|
|
|
abb996 |
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
|
|
|
abb996 |
+ <criterion comment="Check the set root in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
|
|
|
abb996 |
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
|
|
|
abb996 |
</criteria>
|
|
|
abb996 |
</definition>
|
|
|
abb996 |
|
|
|
abb996 |
|
|
|
abb996 |
- comment="tests the value of set root setting in the {{{ grub_cfg_prefix + "/grub.cfg" }}} file"
|
|
|
abb996 |
+ comment="tests the value of set root setting in the {{{ grub2_uefi_boot_path + "/grub.cfg" }}} file"
|
|
|
abb996 |
id="test_uefi_no_removeable_media" version="1">
|
|
|
abb996 |
<ind:object object_ref="obj_uefi_no_removeable_media" />
|
|
|
abb996 |
<ind:state state_ref="state_uefi_no_removeable_media" />
|
|
|
abb996 |
</ind:textfilecontent54_test>
|
|
|
abb996 |
|
|
|
abb996 |
<ind:textfilecontent54_object id="obj_uefi_no_removeable_media" version="1">
|
|
|
abb996 |
- <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
|
|
|
abb996 |
+ <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
|
|
|
abb996 |
<ind:pattern operation="pattern match">^[ \t]*set root=(.+?)[ \t]*(?:$|#)</ind:pattern>
|
|
|
abb996 |
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
|
abb996 |
</ind:textfilecontent54_object>
|
|
|
abb996 |
@@ -30,5 +24,5 @@
|
|
|
abb996 |
<ind:subexpression datatype="string" operation="pattern match">^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$</ind:subexpression>
|
|
|
abb996 |
</ind:textfilecontent54_state>
|
|
|
abb996 |
|
|
|
abb996 |
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
|
|
|
abb996 |
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
|
|
|
abb996 |
</def-group>
|
|
|
abb996 |
diff --git a/products/fedora/product.yml b/products/fedora/product.yml
|
|
|
abb996 |
index 0cb53c5331e..ea8e98eea78 100644
|
|
|
abb996 |
--- a/products/fedora/product.yml
|
|
|
abb996 |
+++ b/products/fedora/product.yml
|
|
|
abb996 |
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
|
|
|
abb996 |
|
|
|
abb996 |
init_system: "systemd"
|
|
|
abb996 |
|
|
|
abb996 |
+grub2_boot_path: "/boot/grub2"
|
|
|
abb996 |
+
|
|
|
abb996 |
dconf_gdm_dir: "distro.d"
|
|
|
abb996 |
|
|
|
abb996 |
cpes_root: "../../shared/applicability"
|
|
|
abb996 |
diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
|
|
|
abb996 |
index fb5d17786da..6438797f218 100644
|
|
|
abb996 |
--- a/products/rhel7/product.yml
|
|
|
abb996 |
+++ b/products/rhel7/product.yml
|
|
|
abb996 |
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
|
|
|
abb996 |
auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
|
|
|
abb996 |
oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"
|
|
|
abb996 |
|
|
|
abb996 |
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
|
|
|
abb996 |
+
|
|
|
abb996 |
cpes_root: "../../shared/applicability"
|
|
|
abb996 |
cpes:
|
|
|
abb996 |
- rhel7:
|
|
|
abb996 |
diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
|
|
|
abb996 |
index 78c987b2457..f6d2102558d 100644
|
|
|
abb996 |
--- a/products/rhel8/product.yml
|
|
|
abb996 |
+++ b/products/rhel8/product.yml
|
|
|
abb996 |
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
|
|
|
abb996 |
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
|
|
|
abb996 |
oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
|
|
|
abb996 |
|
|
|
abb996 |
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
|
|
|
abb996 |
+
|
|
|
abb996 |
cpes_root: "../../shared/applicability"
|
|
|
abb996 |
cpes:
|
|
|
abb996 |
- rhel8:
|
|
|
abb996 |
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
|
|
|
abb996 |
index 4ceb332adf3..6b5a15d5cee 100644
|
|
|
abb996 |
--- a/products/rhel9/product.yml
|
|
|
abb996 |
+++ b/products/rhel9/product.yml
|
|
|
abb996 |
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
|
|
|
abb996 |
|
|
|
abb996 |
init_system: "systemd"
|
|
|
abb996 |
|
|
|
abb996 |
+grub2_boot_path: "/boot/grub2"
|
|
|
abb996 |
+
|
|
|
abb996 |
dconf_gdm_dir: "distro.d"
|
|
|
abb996 |
|
|
|
abb996 |
# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
|
|
|
abb996 |
diff --git a/products/sle12/product.yml b/products/sle12/product.yml
|
|
|
abb996 |
index d1301a17f91..b9e44e0725c 100644
|
|
|
abb996 |
--- a/products/sle12/product.yml
|
|
|
abb996 |
+++ b/products/sle12/product.yml
|
|
|
abb996 |
@@ -12,6 +12,8 @@ pkg_manager: "zypper"
|
|
|
abb996 |
pkg_manager_config_file: "/etc/zypp/zypp.conf"
|
|
|
abb996 |
oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml"
|
|
|
abb996 |
|
|
|
abb996 |
+grub2_uefi_boot_path: "/boot/efi/EFI/sles"
|
|
|
abb996 |
+
|
|
|
abb996 |
cpes_root: "../../shared/applicability"
|
|
|
abb996 |
cpes:
|
|
|
abb996 |
- sle12-server:
|
|
|
abb996 |
diff --git a/products/ubuntu1604/product.yml b/products/ubuntu1604/product.yml
|
|
|
abb996 |
index 827a875d493..36ec98397f6 100644
|
|
|
abb996 |
--- a/products/ubuntu1604/product.yml
|
|
|
abb996 |
+++ b/products/ubuntu1604/product.yml
|
|
|
abb996 |
@@ -12,6 +12,7 @@ init_system: "systemd"
|
|
|
abb996 |
oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml"
|
|
|
abb996 |
|
|
|
abb996 |
grub2_boot_path: "/boot/grub"
|
|
|
abb996 |
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
|
|
|
abb996 |
|
|
|
abb996 |
cpes_root: "../../shared/applicability"
|
|
|
abb996 |
cpes:
|
|
|
abb996 |
diff --git a/products/ubuntu1804/product.yml b/products/ubuntu1804/product.yml
|
|
|
abb996 |
index 68922441a2a..f1671b8d7dd 100644
|
|
|
abb996 |
--- a/products/ubuntu1804/product.yml
|
|
|
abb996 |
+++ b/products/ubuntu1804/product.yml
|
|
|
abb996 |
@@ -11,6 +11,7 @@ pkg_manager: "apt_get"
|
|
|
abb996 |
init_system: "systemd"
|
|
|
abb996 |
|
|
|
abb996 |
grub2_boot_path: "/boot/grub"
|
|
|
abb996 |
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
|
|
|
abb996 |
|
|
|
abb996 |
cpes_root: "../../shared/applicability"
|
|
|
abb996 |
cpes:
|
|
|
abb996 |
diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
|
|
|
abb996 |
index 15565b6748f..d75624d70a3 100644
|
|
|
abb996 |
--- a/products/ubuntu2004/product.yml
|
|
|
abb996 |
+++ b/products/ubuntu2004/product.yml
|
|
|
abb996 |
@@ -12,6 +12,7 @@ init_system: "systemd"
|
|
|
abb996 |
oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml"
|
|
|
abb996 |
|
|
|
abb996 |
grub2_boot_path: "/boot/grub"
|
|
|
abb996 |
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
|
|
|
abb996 |
|
|
|
abb996 |
cpes_root: "../../shared/applicability"
|
|
|
abb996 |
cpes:
|
|
|
abb996 |
diff --git a/ssg/constants.py b/ssg/constants.py
|
|
|
abb996 |
index 666d7a4d3c8..f9c978a22a2 100644
|
|
|
abb996 |
--- a/ssg/constants.py
|
|
|
abb996 |
+++ b/ssg/constants.py
|
|
|
abb996 |
@@ -383,4 +383,5 @@
|
|
|
abb996 |
# Application constants
|
|
|
abb996 |
DEFAULT_UID_MIN = 1000
|
|
|
abb996 |
DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2'
|
|
|
abb996 |
+DEFAULT_GRUB2_UEFI_BOOT_PATH = '/boot/grub2'
|
|
|
abb996 |
DEFAULT_DCONF_GDM_DIR = 'gdm.d'
|
|
|
abb996 |
diff --git a/ssg/products.py b/ssg/products.py
|
|
|
abb996 |
index 25178b741b2..fb55f5c2f4b 100644
|
|
|
abb996 |
--- a/ssg/products.py
|
|
|
abb996 |
+++ b/ssg/products.py
|
|
|
abb996 |
@@ -9,6 +9,7 @@
|
|
|
abb996 |
from .constants import (product_directories,
|
|
|
abb996 |
DEFAULT_UID_MIN,
|
|
|
abb996 |
DEFAULT_GRUB2_BOOT_PATH,
|
|
|
abb996 |
+ DEFAULT_GRUB2_UEFI_BOOT_PATH,
|
|
|
abb996 |
DEFAULT_DCONF_GDM_DIR,
|
|
|
abb996 |
PKG_MANAGER_TO_SYSTEM,
|
|
|
abb996 |
PKG_MANAGER_TO_CONFIG_FILE,
|
|
|
abb996 |
@@ -48,6 +49,9 @@ def _get_implied_properties(existing_properties):
|
|
|
abb996 |
if "grub2_boot_path" not in existing_properties:
|
|
|
abb996 |
result["grub2_boot_path"] = DEFAULT_GRUB2_BOOT_PATH
|
|
|
abb996 |
|
|
|
abb996 |
+ if "grub2_uefi_boot_path" not in existing_properties:
|
|
|
abb996 |
+ result["grub2_uefi_boot_path"] = DEFAULT_GRUB2_UEFI_BOOT_PATH
|
|
|
abb996 |
+
|
|
|
abb996 |
if "dconf_gdm_dir" not in existing_properties:
|
|
|
abb996 |
result["dconf_gdm_dir"] = DEFAULT_DCONF_GDM_DIR
|
|
|
abb996 |
|
|
|
abb996 |
diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
|
|
|
abb996 |
index bce7683a7c1..f024b3766cf 100644
|
|
|
abb996 |
--- a/tests/shared/grub2.sh
|
|
|
abb996 |
+++ b/tests/shared/grub2.sh
|
|
|
abb996 |
@@ -2,9 +2,13 @@ test -n "$GRUB_CFG_ROOT" || GRUB_CFG_ROOT=/boot/grub2
|
|
|
abb996 |
|
|
|
abb996 |
function set_grub_uefi_root {
|
|
|
abb996 |
if grep NAME /etc/os-release | grep -iq fedora; then
|
|
|
abb996 |
- GRUB_CFG_ROOT=/boot/efi/EFI/fedora
|
|
|
abb996 |
- else
|
|
|
abb996 |
- GRUB_CFG_ROOT=/boot/efi/EFI/redhat
|
|
|
abb996 |
+ GRUB_CFG_ROOT=/boot/grub2
|
|
|
abb996 |
+ elif grep NAME /etc/os-release | grep -iq "Red Hat"; then
|
|
|
abb996 |
+ if grep VERSION /etc/os-release | grep -q '9\.0'; then
|
|
|
abb996 |
+ GRUB_CFG_ROOT=/boot/grub2
|
|
|
abb996 |
+ else
|
|
|
abb996 |
+ GRUB_CFG_ROOT=/boot/efi/EFI/redhat
|
|
|
abb996 |
+ fi
|
|
|
abb996 |
fi
|
|
|
abb996 |
}
|
|
|
abb996 |
|
|
|
abb996 |
|
|
|
abb996 |
From a838226fc6b082ab73990613294328db49463c2b Mon Sep 17 00:00:00 2001
|
|
|
abb996 |
From: Matej Tyc <matyc@redhat.com>
|
|
|
abb996 |
Date: Thu, 5 Aug 2021 17:59:39 +0200
|
|
|
abb996 |
Subject: [PATCH 4/5] Add the sshd directory configuration rule
|
|
|
abb996 |
|
|
|
abb996 |
Remediations of other sshd rules assumes that sshd is configured using
|
|
|
abb996 |
multiple files as opposed to one huge file, and this rule
|
|
|
abb996 |
makes sure that the assumption is guarded.
|
|
|
abb996 |
---
|
|
|
abb996 |
controls/anssi.yml | 3 +++
|
|
|
abb996 |
products/rhel9/profiles/cis.profile | 2 ++
|
|
|
abb996 |
products/rhel9/profiles/cjis.profile | 1 +
|
|
|
abb996 |
products/rhel9/profiles/e8.profile | 1 +
|
|
|
abb996 |
products/rhel9/profiles/hipaa.profile | 1 +
|
|
|
abb996 |
products/rhel9/profiles/ism_o.profile | 1 +
|
|
|
abb996 |
products/rhel9/profiles/ospp.profile | 1 +
|
|
|
abb996 |
products/rhel9/profiles/pci-dss.profile | 1 +
|
|
|
abb996 |
products/rhel9/profiles/rht-ccp.profile | 1 +
|
|
|
abb996 |
9 files changed, 12 insertions(+)
|
|
|
abb996 |
|
|
|
abb996 |
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
|
|
abb996 |
index 7737e67ea51..eee79cf1ef7 100644
|
|
|
abb996 |
--- a/controls/anssi.yml
|
|
|
abb996 |
+++ b/controls/anssi.yml
|
|
|
abb996 |
@@ -384,6 +384,9 @@ controls:
|
|
|
abb996 |
- package_sudo_installed
|
|
|
abb996 |
- audit_rules_privileged_commands_sudo
|
|
|
abb996 |
|
|
|
abb996 |
+ # This rule should be present in the profile at least once
|
|
|
abb996 |
+ - sshd_use_directory_configuration
|
|
|
abb996 |
+
|
|
|
abb996 |
- id: R20
|
|
|
abb996 |
levels:
|
|
|
abb996 |
- enhanced
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
|
|
|
abb996 |
index 622f88e3766..8d7816e5e2d 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/cis.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/cis.profile
|
|
|
abb996 |
@@ -791,6 +791,8 @@ selections:
|
|
|
abb996 |
- file_permissions_sshd_pub_key
|
|
|
abb996 |
# TO DO: check owner of pub keys in /etc/ssh is root:root
|
|
|
abb996 |
|
|
|
abb996 |
+ # Ensure that the configuration is done the right way
|
|
|
abb996 |
+ - sshd_use_directory_configuration
|
|
|
abb996 |
### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
|
|
|
abb996 |
- sshd_set_loglevel_info
|
|
|
abb996 |
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/cjis.profile b/products/rhel9/profiles/cjis.profile
|
|
|
abb996 |
index b45ba19d84f..0aaf7cb0206 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/cjis.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/cjis.profile
|
|
|
abb996 |
@@ -98,6 +98,7 @@ selections:
|
|
|
abb996 |
- dconf_gnome_screensaver_idle_activation_enabled
|
|
|
abb996 |
- dconf_gnome_screensaver_lock_enabled
|
|
|
abb996 |
- dconf_gnome_screensaver_mode_blank
|
|
|
abb996 |
+ - sshd_use_directory_configuration
|
|
|
abb996 |
- sshd_allow_only_protocol2
|
|
|
abb996 |
- sshd_set_idle_timeout
|
|
|
abb996 |
- var_sshd_set_keepalive=0
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile
|
|
|
abb996 |
index 6d87a778eee..3851255ccec 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/e8.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/e8.profile
|
|
|
abb996 |
@@ -126,6 +126,7 @@ selections:
|
|
|
abb996 |
- audit_rules_kernel_module_loading
|
|
|
abb996 |
|
|
|
abb996 |
### Secure access
|
|
|
abb996 |
+ - sshd_use_directory_configuration
|
|
|
abb996 |
- sshd_disable_root_login
|
|
|
abb996 |
- sshd_disable_gssapi_auth
|
|
|
abb996 |
- sshd_print_last_log
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
|
|
|
abb996 |
index 797c62708e2..d1dc18ba33c 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/hipaa.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/hipaa.profile
|
|
|
abb996 |
@@ -39,6 +39,7 @@ selections:
|
|
|
abb996 |
- dconf_db_up_to_date
|
|
|
abb996 |
- dconf_gnome_remote_access_credential_prompt
|
|
|
abb996 |
- dconf_gnome_remote_access_encryption
|
|
|
abb996 |
+ - sshd_use_directory_configuration
|
|
|
abb996 |
- sshd_disable_empty_passwords
|
|
|
abb996 |
- sshd_disable_root_login
|
|
|
abb996 |
- libreswan_approved_tunnels
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile
|
|
|
abb996 |
index 82e863ad3d3..6fc919da128 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/ism_o.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/ism_o.profile
|
|
|
abb996 |
@@ -56,6 +56,7 @@ selections:
|
|
|
abb996 |
## Authentication hardening
|
|
|
abb996 |
## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
|
|
|
abb996 |
## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
|
|
|
abb996 |
+ - sshd_use_directory_configuration
|
|
|
abb996 |
- sshd_max_auth_tries_value=5
|
|
|
abb996 |
- disable_host_auth
|
|
|
abb996 |
- require_emergency_target_auth
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
|
|
abb996 |
index adec0cbd774..08ffcccd9e2 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/ospp.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/ospp.profile
|
|
|
abb996 |
@@ -58,6 +58,7 @@ selections:
|
|
|
abb996 |
|
|
|
abb996 |
### Services
|
|
|
abb996 |
# sshd
|
|
|
abb996 |
+ - sshd_use_directory_configuration
|
|
|
abb996 |
- sshd_disable_root_login
|
|
|
abb996 |
- sshd_enable_strictmodes
|
|
|
abb996 |
- disable_host_auth
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
|
|
|
abb996 |
index 1fe85d39ae0..bd16dc97721 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/pci-dss.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/pci-dss.profile
|
|
|
abb996 |
@@ -105,6 +105,7 @@ selections:
|
|
|
abb996 |
- dconf_gnome_screensaver_idle_activation_enabled
|
|
|
abb996 |
- dconf_gnome_screensaver_lock_enabled
|
|
|
abb996 |
- dconf_gnome_screensaver_mode_blank
|
|
|
abb996 |
+ - sshd_use_directory_configuration
|
|
|
abb996 |
- sshd_set_idle_timeout
|
|
|
abb996 |
- var_sshd_set_keepalive=0
|
|
|
abb996 |
- accounts_password_pam_minlen
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/rht-ccp.profile b/products/rhel9/profiles/rht-ccp.profile
|
|
|
abb996 |
index e1d9a70b493..8576975aa54 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/rht-ccp.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/rht-ccp.profile
|
|
|
abb996 |
@@ -87,6 +87,7 @@ selections:
|
|
|
abb996 |
- service_telnet_disabled
|
|
|
abb996 |
- package_telnet-server_removed
|
|
|
abb996 |
- package_telnet_removed
|
|
|
abb996 |
+ - sshd_use_directory_configuration
|
|
|
abb996 |
- sshd_allow_only_protocol2
|
|
|
abb996 |
- sshd_set_idle_timeout
|
|
|
abb996 |
- var_sshd_set_keepalive=0
|
|
|
abb996 |
|
|
|
abb996 |
From 470e496f8335c0d017bc82646537b03947b71941 Mon Sep 17 00:00:00 2001
|
|
|
abb996 |
From: Matej Tyc <matyc@redhat.com>
|
|
|
abb996 |
Date: Wed, 11 Aug 2021 16:43:00 +0200
|
|
|
abb996 |
Subject: [PATCH 5/5] Reflect fusion of rhel9 packages
|
|
|
abb996 |
|
|
|
abb996 |
Packages dnf-plugin-subscription-manager and subscription-manager are
|
|
|
abb996 |
merged to subscription-manager in RHEL9 - see
|
|
|
abb996 |
https://bugzilla.redhat.com/show_bug.cgi?id=1847910#c2
|
|
|
abb996 |
---
|
|
|
abb996 |
.../rule.yml | 3 +--
|
|
|
abb996 |
.../package_subscription-manager_installed/rule.yml | 9 ++++++++-
|
|
|
abb996 |
products/rhel9/profiles/ospp.profile | 1 -
|
|
|
abb996 |
3 files changed, 9 insertions(+), 4 deletions(-)
|
|
|
abb996 |
|
|
|
abb996 |
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
|
|
abb996 |
index 4f49b3b825d..8b6577226fb 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
|
|
abb996 |
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
|
|
abb996 |
@@ -1,6 +1,6 @@
|
|
|
abb996 |
documentation_complete: true
|
|
|
abb996 |
|
|
|
abb996 |
-prodtype: rhel8,rhel9
|
|
|
abb996 |
+prodtype: rhel8
|
|
|
abb996 |
|
|
|
abb996 |
title: 'Install dnf-plugin-subscription-manager Package'
|
|
|
abb996 |
|
|
|
abb996 |
@@ -17,7 +17,6 @@ severity: medium
|
|
|
abb996 |
|
|
|
abb996 |
identifiers:
|
|
|
abb996 |
cce@rhel8: CCE-82315-3
|
|
|
abb996 |
- cce@rhel9: CCE-89879-1
|
|
|
abb996 |
|
|
|
abb996 |
references:
|
|
|
abb996 |
ism: 0940,1144,1467,1472,1483,1493,1494,1495
|
|
|
abb996 |
diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
|
|
|
abb996 |
index b90a7588270..32e5ce9a129 100644
|
|
|
abb996 |
--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
|
|
|
abb996 |
+++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
|
|
|
abb996 |
@@ -12,7 +12,14 @@ rationale: |-
|
|
|
abb996 |
and subscriptions on a local system to help manage subscription assignments.
|
|
|
abb996 |
It communicates with the backend subscription service (the Customer Portal
|
|
|
abb996 |
or an on-premise server such as Subscription Asset Manager) and works with
|
|
|
abb996 |
- content management tools such as yum.
|
|
|
abb996 |
+ content management tools such as {{{ package_manager }}}.
|
|
|
abb996 |
+
|
|
|
abb996 |
+ {{% if product in ["rhel9"] %}}
|
|
|
abb996 |
+ The package provides, among other things, {{{ package_manager }}} plugins
|
|
|
abb996 |
+ to interact with repositories and subscriptions
|
|
|
abb996 |
+ from the Red Hat entitlement platform - the subscription-manager and
|
|
|
abb996 |
+ product-id plugins.
|
|
|
abb996 |
+ {{% endif %}}
|
|
|
abb996 |
|
|
|
abb996 |
severity: medium
|
|
|
abb996 |
|
|
|
abb996 |
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
|
|
abb996 |
index 08ffcccd9e2..1b060c7bf07 100644
|
|
|
abb996 |
--- a/products/rhel9/profiles/ospp.profile
|
|
|
abb996 |
+++ b/products/rhel9/profiles/ospp.profile
|
|
|
abb996 |
@@ -178,7 +178,6 @@ selections:
|
|
|
abb996 |
- package_aide_installed
|
|
|
abb996 |
- package_dnf-automatic_installed
|
|
|
abb996 |
- package_subscription-manager_installed
|
|
|
abb996 |
- - package_dnf-plugin-subscription-manager_installed
|
|
|
abb996 |
- package_firewalld_installed
|
|
|
abb996 |
- package_openscap-scanner_installed
|
|
|
abb996 |
- package_policycoreutils_installed
|