rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   f6303c6fb4f0faac5938f1045bc4fd02351b4455
  2.   SOURCES
  3.   scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch
Blob Blame History Raw 
From 9a72c4cef2dd782e14f1534a52c45125671a828d Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 14 Nov 2022 15:23:32 +0100
Subject: [PATCH 2/4] Update remediation to skip .bash_profile file

This file can have the umask content but for a different purpose than
this rule intention. It was ignored in order to avoid changing the bash
history. Ansible and Bash were updated.
---
 .../accounts_umask_interactive_users/ansible/shared.yml       | 4 +++-
 .../accounts_umask_interactive_users/bash/shared.sh           | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
index 67064ac4a3b..3586ae69cbe 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
@@ -9,6 +9,8 @@
     cmd: |
       for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
         for file in $(find $dir -maxdepth 1 -type f -name ".*"); do
-          sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
+          if [ "$(basename $file)" != ".bash_history" ]; then
+            sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
+          fi
         done
       done
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
index d5f803db313..f524ff01f9a 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
@@ -6,6 +6,8 @@
 
 {{% call iterate_over_command_output("dir", "awk -F':' '{ if ($3 >= " ~ uid_min ~ " && $3 != 65534) print $6}' /etc/passwd") -%}}
 {{% call iterate_over_find_output("file", '$dir -maxdepth 1 -type f -name ".*"') -%}}
-sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
+if [ "$(basename $file)" != ".bash_history" ]; then
+    sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
+fi
 {{%- endcall %}}
 {{%- endcall %}}

From d0dcfc06b31d08cb42151463473ba0b211c54e6a Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 14 Nov 2022 15:26:04 +0100
Subject: [PATCH 3/4] Include test scenario to test .bash_history treatment

---
 .../tests/bash_history_ignored.pass.sh                       | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh

diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
new file mode 100644
index 00000000000..8eeffc233b2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "umask 022" > /home/$USER/.bash_history

From c8dc63aad4fbe6df499192eda01d66e64bc8c9c3 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 14 Nov 2022 15:27:26 +0100
Subject: [PATCH 4/4] Extend OVAL check to ignore .bash_history file

This rule targets user files where the umask can be changed. It is not the
case for .bash_history. In addition, it should be avoided to change the
.bash_history file by this rule remediations.
---
 .../accounts_umask_interactive_users/oval/shared.xml        | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
index 42dbdbbae46..6f3eaa570d7 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
@@ -29,8 +29,14 @@
     <ind:filename operation="pattern match">^\..*</ind:filename>
     <ind:pattern operation="pattern match">^[\s]*umask\s*</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    <filter action="exclude">state_accounts_umask_interactive_users_bash_history</filter>
   </ind:textfilecontent54_object>
 
+  <ind:textfilecontent54_state id="state_accounts_umask_interactive_users_bash_history"
+    version="1">
+    <ind:filename operation="pattern match">^\.bash_history</ind:filename>
+  </ind:textfilecontent54_state>
+
   <!-- #### creation of test #### -->
   <ind:textfilecontent54_test id="test_accounts_umask_interactive_users" check="all"
                   check_existence="none_exist" version="1"

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation