From 7e8648607907f90c602095e19c044a364eb472b8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 18 2023 00:50:21 +0000 Subject: import scap-security-guide-0.1.66-2.el8 --- diff --git a/.gitignore b/.gitignore index 719f18c..6109c1a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 -SOURCES/scap-security-guide-0.1.63.tar.bz2 +SOURCES/scap-security-guide-0.1.66.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 31d7902..6ec1dbc 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1,2 +1,2 @@ b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 -b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2 +fdef63150c650bc29c06eea0aba6092688ab60a9 SOURCES/scap-security-guide-0.1.66.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch index 655c558..f883e6a 100644 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -1,8 +1,24 @@ +From 746381a4070fc561651ad65ec0fe9610e8590781 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 6 Feb 2023 14:44:17 +0100 +Subject: [PATCH] Disable profiles not in good shape + +Patch-name: disable-not-in-good-shape-profiles.patch +Patch-id: 0 +Patch-status: | + Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream +--- + products/rhel8/CMakeLists.txt | 1 - + products/rhel8/profiles/cjis.profile | 2 +- + products/rhel8/profiles/rht-ccp.profile | 2 +- + products/rhel8/profiles/standard.profile | 2 +- + 4 files changed, 3 insertions(+), 4 deletions(-) + diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt -index 5258591c7f..cc4b9c5720 100644 +index 9c044b68ab..8f6ca03de8 100644 --- a/products/rhel8/CMakeLists.txt +++ b/products/rhel8/CMakeLists.txt -@@ -11,7 +11,6 @@ ssg_build_product(${PRODUCT}) +@@ -10,7 +10,6 @@ ssg_build_product(${PRODUCT}) ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss") ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist") @@ -10,8 +26,8 @@ index 5258591c7f..cc4b9c5720 100644 ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist") ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi") -diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile -index 035d2705b..c6475f33e 100644 +diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile +index 22ae5aac72..f60b65bc06 100644 --- a/products/rhel8/profiles/cjis.profile +++ b/products/rhel8/profiles/cjis.profile @@ -1,4 +1,4 @@ @@ -20,8 +36,8 @@ index 035d2705b..c6475f33e 100644 metadata: version: 5.4 -diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile -index c84579592..164ec98c4 100644 +diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile +index b192461f95..ae1e7d5a15 100644 --- a/products/rhel8/profiles/rht-ccp.profile +++ b/products/rhel8/profiles/rht-ccp.profile @@ -1,4 +1,4 @@ @@ -30,8 +46,8 @@ index c84579592..164ec98c4 100644 title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' -diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile -index a63ae2cf3..da669bb84 100644 +diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile +index a63ae2cf32..da669bb843 100644 --- a/products/rhel8/profiles/standard.profile +++ b/products/rhel8/profiles/standard.profile @@ -1,4 +1,4 @@ @@ -41,5 +57,5 @@ index a63ae2cf3..da669bb84 100644 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' -- -2.26.2 +2.39.1 diff --git a/SOURCES/scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch b/SOURCES/scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch deleted file mode 100644 index ac3b3a6..0000000 --- a/SOURCES/scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch +++ /dev/null @@ -1,227 +0,0 @@ -From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001 -From: Matej Tyc -Date: Thu, 21 Jul 2022 16:42:41 +0200 -Subject: [PATCH 1/3] Add platforms for partition existence - ---- - shared/applicability/general.yml | 14 +++++++++++++ - .../checks/oval/installed_env_mounts_tmp.xml | 10 +++++++++ - .../oval/installed_env_mounts_var_tmp.xml | 10 +++++++++ - shared/macros/10-ansible.jinja | 5 +++++ - shared/macros/10-bash.jinja | 5 +++++ - shared/macros/10-oval.jinja | 21 +++++++++++++++++++ - 6 files changed, 65 insertions(+) - create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml - create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml - -diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml -index 2d23d753148..e2f5d04ce00 100644 ---- a/shared/applicability/general.yml -+++ b/shared/applicability/general.yml -@@ -77,6 +77,20 @@ cpes: - bash_conditional: {{{ bash_pkg_conditional("pam") }}} - ansible_conditional: {{{ ansible_pkg_conditional("pam") }}} - -+ - partition-var-tmp: -+ name: "cpe:/a:partition-var-tmp" -+ title: "There is a /var/tmp partition" -+ check_id: installed_env_mounts_var_tmp -+ bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}} -+ ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}} -+ -+ - partition-tmp: -+ name: "cpe:/a:partition-tmp" -+ title: "There is a /tmp partition" -+ check_id: installed_env_mounts_tmp -+ bash_conditional: {{{ bash_partition_conditional("/tmp") }}} -+ ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}} -+ - - polkit: - name: "cpe:/a:polkit" - title: "Package polkit is installed" -diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml -new file mode 100644 -index 00000000000..c1bcd6b2431 ---- /dev/null -+++ b/shared/checks/oval/installed_env_mounts_tmp.xml -@@ -0,0 +1,10 @@ -+ -+ -+ {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}} -+ -+ {{{ partition_exists_criterion("/tmp") }}} -+ -+ -+ -+ {{{ partition_exists_tos("/tmp") }}} -+ -diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml -new file mode 100644 -index 00000000000..a72f49c8a8f ---- /dev/null -+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml -@@ -0,0 +1,10 @@ -+ -+ -+ {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}} -+ -+ {{{ partition_exists_criterion("/var/tmp") }}} -+ -+ -+ -+ {{{ partition_exists_tos("/var/tmp") }}} -+ -diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja -index 2d24f730d3f..478f0072bc7 100644 ---- a/shared/macros/10-ansible.jinja -+++ b/shared/macros/10-ansible.jinja -@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template. - when: - - result_pam_file_present.stat.exists - {{%- endmacro -%}} -+ -+ -+{{%- macro ansible_partition_conditional(path) -%}} -+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" -+{{%- endmacro -%}} -diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja -index 94c3c6f9570..6a7fb165fd2 100644 ---- a/shared/macros/10-bash.jinja -+++ b/shared/macros/10-bash.jinja -@@ -2085,3 +2085,8 @@ else - echo "{{{ pam_file }}} was not found" >&2 - fi - {{%- endmacro -%}} -+ -+ -+{{%- macro bash_partition_conditional(path) -%}} -+'findmnt --mountpoint "{{{ path }}}" > /dev/null' -+{{%- endmacro -%}} -diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja -index c8d7bbeffb7..1ec93b6ef7d 100644 ---- a/shared/macros/10-oval.jinja -+++ b/shared/macros/10-oval.jinja -@@ -926,3 +926,24 @@ Generates the :code:`` tag for OVAL check using correct product platfo - {{%- else %}} - {{%- set user_list="nobody" %}} - {{%- endif %}} -+ -+ -+{{%- macro partition_exists_criterion(path) %}} -+{{%- set escaped_path = path | replace("/", "_") %}} -+ -+{{%- endmacro %}} -+ -+{{%- macro partition_exists_tos(path) %}} -+{{%- set escaped_path = path | replace("/", "_") %}} -+ -+ -+ {{#- #}} -+ -+ -+ -+ {{{ path }}} -+ -+{{%- endmacro %}} - -From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001 -From: Matej Tyc -Date: Thu, 21 Jul 2022 16:43:21 +0200 -Subject: [PATCH 2/3] Use partition exist platforms on a real rule - ---- - .../partitions/mount_option_var_tmp_nodev/rule.yml | 3 ++- - .../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh | 5 +++++ - 2 files changed, 7 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh - -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -index 8ee8c8b12e0..741d0973283 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -@@ -38,7 +38,8 @@ references: - stigid@ol8: OL08-00-040132 - stigid@rhel8: RHEL-08-040132 - --platform: machine -+platforms: -+ - machine and partition-var-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh -new file mode 100644 -index 00000000000..241c0103d82 ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+. $SHARED/partition.sh -+ -+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it - -From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001 -From: Matej Tyc -Date: Wed, 10 Aug 2022 11:32:38 +0200 -Subject: [PATCH 3/3] Improve code style - -- Improve description of OVAL macro -- Use the escape_id filter to produce IDs ---- - shared/checks/oval/installed_env_mounts_tmp.xml | 2 +- - shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +- - shared/macros/10-oval.jinja | 7 +++---- - 3 files changed, 5 insertions(+), 6 deletions(-) - -diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml -index c1bcd6b2431..edd8ad050f5 100644 ---- a/shared/checks/oval/installed_env_mounts_tmp.xml -+++ b/shared/checks/oval/installed_env_mounts_tmp.xml -@@ -6,5 +6,5 @@ - - - -- {{{ partition_exists_tos("/tmp") }}} -+ {{{ partition_exists_test_object("/tmp") }}} - -diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml -index a72f49c8a8f..cf9aafbdb04 100644 ---- a/shared/checks/oval/installed_env_mounts_var_tmp.xml -+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml -@@ -6,5 +6,5 @@ - - - -- {{{ partition_exists_tos("/var/tmp") }}} -+ {{{ partition_exists_test_object("/var/tmp") }}} - -diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja -index 1ec93b6ef7d..f302091f7df 100644 ---- a/shared/macros/10-oval.jinja -+++ b/shared/macros/10-oval.jinja -@@ -929,18 +929,17 @@ Generates the :code:`` tag for OVAL check using correct product platfo - - - {{%- macro partition_exists_criterion(path) %}} --{{%- set escaped_path = path | replace("/", "_") %}} -+{{%- set escaped_path = path | escape_id %}} - - {{%- endmacro %}} - --{{%- macro partition_exists_tos(path) %}} --{{%- set escaped_path = path | replace("/", "_") %}} -+{{%- macro partition_exists_test_object(path) %}} -+{{%- set escaped_path = path | escape_id %}} - - -- {{#- #}} - - - diff --git a/SOURCES/scap-security-guide-0.1.64-add_warning_ip_forwarding-PR_9555.patch b/SOURCES/scap-security-guide-0.1.64-add_warning_ip_forwarding-PR_9555.patch deleted file mode 100644 index dc46ba5..0000000 --- a/SOURCES/scap-security-guide-0.1.64-add_warning_ip_forwarding-PR_9555.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 172258291cea7100e89002203f3d9ae1bc468cd3 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 21 Sep 2022 17:22:29 +0200 -Subject: [PATCH] add warning to sysctl_net_ipv4_conf_all_forwarding - ---- - .../sysctl_net_ipv4_conf_all_forwarding/rule.yml | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml -index 7b0066f7c29..20a778cdf9e 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml -@@ -36,6 +36,15 @@ srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless th - - platform: machine - -+ -+warnings: -+ - general: |- -+ There might be cases when certain applications can systematically override this option. -+ One such case is {{{ weblink("https://libvirt.org/", "Libvirt") }}}; a toolkit for managing of virtualization platforms. -+ By default, Libvirt requires IP forwarding to be enabled to facilitate -+ network communication between the virtualization host and guest -+ machines. It enables IP forwarding after every reboot. -+ - template: - name: sysctl - vars: diff --git a/SOURCES/scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch b/SOURCES/scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch deleted file mode 100644 index 1d5854e..0000000 --- a/SOURCES/scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 51d7ee352dd2e90cb711d949cc59fb36c7fbe5da Mon Sep 17 00:00:00 2001 -From: Matej Tyc -Date: Wed, 10 Aug 2022 13:35:50 +0200 -Subject: [PATCH] Add the platform applicability to relevant rules - ---- - .../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +- - .../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +- - .../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +- - .../permissions/partitions/mount_option_var_tmp_bind/rule.yml | 2 +- - .../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +- - .../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +- - 6 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml -index 45a73e0286a..79a19a8d30b 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml -@@ -45,7 +45,7 @@ references: - stigid@ol8: OL08-00-040123 - stigid@rhel8: RHEL-08-040123 - --platform: machine -+platform: machine and partition-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml -index 7356183bab3..d3f6d6175e5 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml -@@ -44,7 +44,7 @@ references: - stigid@ol8: OL08-00-040125 - stigid@rhel8: RHEL-08-040125 - --platform: machine -+platform: machine and partition-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml -index d153b86934f..10790dc95a7 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml -@@ -45,7 +45,7 @@ references: - stigid@ol8: OL08-00-040124 - stigid@rhel8: RHEL-08-040124 - --platform: machine -+platform: machine and partition-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml -index 133e7727ca7..05992df4b49 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml -@@ -31,7 +31,7 @@ references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 - nist-csf: PR.IP-1,PR.PT-3 - --platform: machine -+platform: machine and partition-var-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml -index 39fd458ec6b..dc00b2f2376 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml -@@ -38,7 +38,7 @@ references: - stigid@ol8: OL08-00-040134 - stigid@rhel8: RHEL-08-040134 - --platform: machine -+platform: machine and partition-var-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml -index 349f3348955..f0c26b6d9c5 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml -@@ -38,7 +38,7 @@ references: - stigid@ol8: OL08-00-040133 - stigid@rhel8: RHEL-08-040133 - --platform: machine -+platform: machine and partition-var-tmp - - template: - name: mount_option diff --git a/SOURCES/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch b/SOURCES/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch deleted file mode 100644 index 8da44fd..0000000 --- a/SOURCES/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 779ffcf0a51a1ad5a13e5b8ee29ce044d93eca55 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 15 Aug 2022 13:14:58 +0200 -Subject: [PATCH 1/2] Access the mounts via ansible_mounts - -It seems that the data about ansible_mounts should be accessed without -the 'ansible_facts' prefix. ---- - shared/macros/10-ansible.jinja | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja -index 478f0072bc7..e8bff0973f5 100644 ---- a/shared/macros/10-ansible.jinja -+++ b/shared/macros/10-ansible.jinja -@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template. - - - {{%- macro ansible_partition_conditional(path) -%}} --"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" -+"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" - {{%- endmacro -%}} - -From 4963d70d565919d0db6c0bc35f3fd4274d474310 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 15 Aug 2022 13:16:24 +0200 -Subject: [PATCH 2/2] Avoid use of json_query and additional dependency - -The json_query filter requires package jmespath to be installed. - -This also avoids mismatchs in python version between ansible and -python3-jmespath. Some distros (RHEL8) don't have jmespath module -available for the same python version ansible is using. ---- - shared/macros/10-ansible.jinja | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja -index e8bff0973f5..beb2bc11403 100644 ---- a/shared/macros/10-ansible.jinja -+++ b/shared/macros/10-ansible.jinja -@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template. - - - {{%- macro ansible_partition_conditional(path) -%}} --"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" -+'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list' - {{%- endmacro -%}} diff --git a/SOURCES/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch b/SOURCES/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch deleted file mode 100644 index e5132c3..0000000 --- a/SOURCES/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 61ff9fd6f455ee49608cab2c851a3819c180c30a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 16 Aug 2022 18:53:02 +0200 -Subject: [PATCH] Don't fail rule if /etc/grubenv missing on s390x - -There is no need to check /etc/grubenv for fips=1 on s390x systems, it -uses zIPL. ---- - .../integrity/fips/enable_fips_mode/oval/shared.xml | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -index 65056a654c6..7af675de0d3 100644 ---- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -@@ -7,9 +7,16 @@ - - - -- {{% if product in ["ol8","rhel8"] %}} -+ {{% if product in ["ol8"] %}} - -+ {{% elif product in ["rhel8"] %}} -+ -+ -+ -+ - {{% endif %}} - - diff --git a/SOURCES/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch b/SOURCES/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch deleted file mode 100644 index dd18148..0000000 --- a/SOURCES/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 5 Aug 2022 12:45:24 +0200 -Subject: [PATCH] Fix rule sudo_custom_logfile - -- Allow only white space after the Default keyword to avoid - matching words that only start with Default. -- If the variable value contains slashes they need to be escaped - because the sed command uses slashes as a separator, otherwise - the sed doesn't replace the wrong line during a remediation. - -Also adds 2 test scenarios. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109 ---- - .../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +- - .../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++ - .../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++ - shared/templates/sudo_defaults_option/ansible.template | 2 +- - shared/templates/sudo_defaults_option/bash.template | 5 +++-- - shared/templates/sudo_defaults_option/oval.template | 2 +- - 6 files changed, 14 insertions(+), 5 deletions(-) - create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh - create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh - -diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -index 739f5f14936..94fbaaa33ed 100644 ---- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo' - - ocil: |- - To determine if logfile has been configured for sudo, run the following command: --
$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/
-+
$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/
- The command should return a matching output. - - template: -diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh -new file mode 100644 -index 00000000000..13ff4559edb ---- /dev/null -+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+# platform = multi_platform_all -+ -+echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers -diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh -new file mode 100644 -index 00000000000..ec24854f0f9 ---- /dev/null -+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+# platform = multi_platform_all -+ -+echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers -diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template -index 094fa430b64..c9e344ec772 100644 ---- a/shared/templates/sudo_defaults_option/ansible.template -+++ b/shared/templates/sudo_defaults_option/ansible.template -@@ -8,7 +8,7 @@ - - name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers - lineinfile: - path: /etc/sudoers -- regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$' -+ regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$' - line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2' - validate: /usr/sbin/visudo -cf %s - backrefs: yes -diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template -index e3563d42db6..e7d962a668d 100644 ---- a/shared/templates/sudo_defaults_option/bash.template -+++ b/shared/templates/sudo_defaults_option/bash.template -@@ -9,7 +9,7 @@ - {{% endif %}} - if /usr/sbin/visudo -qcf /etc/sudoers; then - cp /etc/sudoers /etc/sudoers.bak -- if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then -+ if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then - # sudoers file doesn't define Option {{{ OPTION }}} - echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers - {{%- if not VARIABLE_NAME %}} -@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then - {{% if '/' in OPTION %}} - {{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}} - {{% endif %}} -- sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers -+ escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}} -+ sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers - fi - fi - {{% endif %}} -diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template -index c0d81c95093..a9636a7204a 100644 ---- a/shared/templates/sudo_defaults_option/oval.template -+++ b/shared/templates/sudo_defaults_option/oval.template -@@ -13,7 +13,7 @@ - - - ^/etc/sudoers(|\.d/.*)$ -- ^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$ -+ ^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$ - 1 - - diff --git a/SOURCES/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch b/SOURCES/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch deleted file mode 100644 index 9c0ff1e..0000000 --- a/SOURCES/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch +++ /dev/null @@ -1,967 +0,0 @@ -From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001 -From: Flos Lonicerae -Date: Wed, 13 Apr 2022 20:06:18 +0800 -Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard - -This patch fixes the issue that the array is expanded to wildcard path instead of its elements. -A simple test case as follows: - - /etc/rsyslog.conf - include(file="/etc/rsyslog.d/*.conf" mode="optional") - - /etc/rsyslog.d/custom1.conf - local1.* /tmp/local1.out - - /etc/rsyslog.d/custom2.conf - local2.* /tmp/local2.out ---- - .../rsyslog_files_permissions/bash/shared.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index b794ea8db31..02b0c36d899 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -5,8 +5,8 @@ - RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" - # * And also the log file paths listed after rsyslog's $IncludeConfig directive - # (store the result into array for the case there's shell glob used as value of IncludeConfig) --readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) --readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) -+readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) -+readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)) - - # Declare an array to hold the final list of different log file paths - declare -a LOG_FILE_PATHS - -From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001 -From: Flos Lonicerae -Date: Thu, 14 Apr 2022 15:58:04 +0800 -Subject: [PATCH 02/15] A better fix. - - * Should also fixed the CI failure. ---- - .../rsyslog_files_permissions/bash/shared.sh | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index 02b0c36d899..1aebb8f9da5 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -5,8 +5,10 @@ - RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" - # * And also the log file paths listed after rsyslog's $IncludeConfig directive - # (store the result into array for the case there's shell glob used as value of IncludeConfig) --readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) --readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)) -+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) -+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) -+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) -+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) - - # Declare an array to hold the final list of different log file paths - declare -a LOG_FILE_PATHS - -From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001 -From: Flos Lonicerae -Date: Fri, 15 Apr 2022 10:47:37 +0800 -Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog - ---- - .../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++ - .../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++ - 2 files changed, 113 insertions(+) - create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh - create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -new file mode 100755 -index 00000000000..7cb09128d78 ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -@@ -0,0 +1,56 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Check rsyslog.conf with log file permissions 0600 from rules and -+# log file permissions 0600 from $IncludeConfig passes. -+ -+source $SHARED/rsyslog_log_utils.sh -+ -+PERMS=0600 -+ -+# setup test data -+create_rsyslog_test_logs 3 -+ -+# setup test log files and permissions -+chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} -+chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} -+chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} -+ -+# create test configuration file -+conf_subdir=${RSYSLOG_TEST_DIR}/subdir -+mkdir ${conf_subdir} -+test_subdir_conf=${conf_subdir}/test_subdir.conf -+test_conf=${RSYSLOG_TEST_DIR}/test.conf -+cat << EOF > ${test_subdir_conf} -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[2]} -+EOF -+ -+cat << EOF > ${test_conf} -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[1]} -+EOF -+ -+# create rsyslog.conf configuration file -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[0]} -+ -+#### MODULES #### -+ -+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") -+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") -+ -+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf -+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf -+ -+EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -new file mode 100755 -index 00000000000..942eaf086a1 ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -@@ -0,0 +1,57 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol -+ -+# Check rsyslog.conf with log file permissions 0600 from rules and -+# log file permissions 0601 from $IncludeConfig fails. -+ -+source $SHARED/rsyslog_log_utils.sh -+ -+PERMS_PASS=0600 -+PERMS_FAIL=0601 -+ -+# setup test data -+create_rsyslog_test_logs 3 -+ -+# setup test log files and permissions -+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} -+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} -+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} -+ -+# create test configuration file -+conf_subdir=${RSYSLOG_TEST_DIR}/subdir -+mkdir ${conf_subdir} -+test_subdir_conf=${conf_subdir}/test_subdir.conf -+test_conf=${RSYSLOG_TEST_DIR}/test.conf -+cat << EOF > ${test_subdir_conf} -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[2]} -+EOF -+ -+cat << EOF > ${test_conf} -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[1]} -+EOF -+ -+# create rsyslog.conf configuration file -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[0]} -+ -+#### MODULES #### -+ -+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") -+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") -+ -+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf -+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf -+ -+EOF - -From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001 -From: Flos Lonicerae -Date: Thu, 19 May 2022 01:22:19 +0800 -Subject: [PATCH 04/15] The way using 'find' can be retired. - ---- - .../rsyslog_files_permissions/bash/shared.sh | 20 +++++-------------- - 1 file changed, 5 insertions(+), 15 deletions(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index 1aebb8f9da5..cece5930ee8 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf - # Declare an array to hold the final list of different log file paths - declare -a LOG_FILE_PATHS - --RSYSLOG_CONFIGS=() --RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") -+declare -a RSYSLOG_CONFIGS -+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") - --# Get full list of files to be checked --# RSYSLOG_CONFIGS may contain globs such as --# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule --# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. --RSYSLOG_FILES=() --for ENTRY in "${RSYSLOG_CONFIGS[@]}" --do -- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")") -- RSYSLOG_FILES+=("${FINDOUT[@]}") --done -- --# Check file and fix if needed. --for LOG_FILE in "${RSYSLOG_FILES[@]}" -+# Browse each file selected above as containing paths of log files -+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) -+for LOG_FILE in "${RSYSLOG_CONFIGS[@]}" - do - # From each of these files extract just particular log file path(s), thus: - # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, - -From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001 -From: Flos Lonicerae -Date: Fri, 20 May 2022 01:30:37 +0800 -Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/' - ---- - .../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index cece5930ee8..50d36d7426f 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf - # Declare an array to hold the final list of different log file paths - declare -a LOG_FILE_PATHS - -+# Array to hold all rsyslog config entries - declare -a RSYSLOG_CONFIGS - RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") - -+# Array to hold all rsyslog config files -+declare -a RSYSLOG_CONFIG_FILES -+for ENTRY in "${RSYSLOG_CONFIGS[@]}" -+do -+ # If directory, need to include files recursively -+ if [ -d "${ENTRY}" ] -+ then -+ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf') -+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") -+ elif [ -f "${ENTRY}" ] -+ then -+ RSYSLOG_CONFIG_FILES+=("${ENTRY}") -+ else -+ echo "Invalid include object: ${ENTRY}" -+ fi -+done -+ - # Browse each file selected above as containing paths of log files - # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) --for LOG_FILE in "${RSYSLOG_CONFIGS[@]}" -+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" - do - # From each of these files extract just particular log file path(s), thus: - # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, - -From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001 -From: Flos Lonicerae -Date: Fri, 20 May 2022 01:46:33 +0800 -Subject: [PATCH 06/15] Update test files. - ---- - .../tests/include_config_syntax_perms_0600.pass.sh | 2 ++ - .../tests/include_config_syntax_perms_0601.fail.sh | 2 ++ - 2 files changed, 4 insertions(+) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -index 7cb09128d78..2ddd9fcb697 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF - - include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") - include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") -+include(file="${RSYSLOG_TEST_DIR}" mode="optional") - - \$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf - \$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf -+\$IncludeConfig ${RSYSLOG_TEST_DIR} - - EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -index 942eaf086a1..73ff3332c6d 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF - - include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") - include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") -+include(file="${RSYSLOG_TEST_DIR}" mode="optional") - - \$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf - \$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf -+\$IncludeConfig ${RSYSLOG_TEST_DIR} - - EOF - -From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001 -From: Flos Lonicerae -Date: Fri, 20 May 2022 10:03:32 +0800 -Subject: [PATCH 07/15] Rsyslog says we should include all files - ---- - .../rsyslog_files_permissions/bash/shared.sh | 2 +- - .../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++- - .../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++- - 3 files changed, 31 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index 50d36d7426f..cd5014105e9 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -24,7 +24,7 @@ do - # If directory, need to include files recursively - if [ -d "${ENTRY}" ] - then -- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf') -+ readarray -t FINDOUT < <(find "${ENTRY}" -type f) - RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") - elif [ -f "${ENTRY}" ] - then -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -index 2ddd9fcb697..755865ca522 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh - PERMS=0600 - - # setup test data --create_rsyslog_test_logs 3 -+create_rsyslog_test_logs 4 - - # setup test log files and permissions - chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} - chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} - chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} -+chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} - - # create test configuration file - conf_subdir=${RSYSLOG_TEST_DIR}/subdir - mkdir ${conf_subdir} - test_subdir_conf=${conf_subdir}/test_subdir.conf - test_conf=${RSYSLOG_TEST_DIR}/test.conf -+test_bak=${RSYSLOG_TEST_DIR}/test.bak -+ - cat << EOF > ${test_subdir_conf} - # rsyslog configuration file -+# test_subdir_conf - - #### RULES #### - -@@ -31,12 +35,22 @@ EOF - - cat << EOF > ${test_conf} - # rsyslog configuration file -+# test_conf - - #### RULES #### - - *.* ${RSYSLOG_TEST_LOGS[1]} - EOF - -+cat << EOF > ${test_bak} -+# rsyslog configuration file -+# test_bak -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[3]} -+EOF -+ - # create rsyslog.conf configuration file - cat << EOF > $RSYSLOG_CONF - # rsyslog configuration file -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -index 73ff3332c6d..063b1a0cbe5 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -@@ -10,20 +10,24 @@ PERMS_PASS=0600 - PERMS_FAIL=0601 - - # setup test data --create_rsyslog_test_logs 3 -+create_rsyslog_test_logs 4 - - # setup test log files and permissions - chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} - chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} - chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} -+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} - - # create test configuration file - conf_subdir=${RSYSLOG_TEST_DIR}/subdir - mkdir ${conf_subdir} - test_subdir_conf=${conf_subdir}/test_subdir.conf - test_conf=${RSYSLOG_TEST_DIR}/test.conf -+test_bak=${RSYSLOG_TEST_DIR}/test.bak -+ - cat << EOF > ${test_subdir_conf} - # rsyslog configuration file -+# test_subdir_conf - - #### RULES #### - -@@ -32,12 +36,22 @@ EOF - - cat << EOF > ${test_conf} - # rsyslog configuration file -+# test_conf - - #### RULES #### - - *.* ${RSYSLOG_TEST_LOGS[1]} - EOF - -+cat << EOF > ${test_bak} -+# rsyslog configuration file -+# test_bak -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[3]} -+EOF -+ - # create rsyslog.conf configuration file - cat << EOF > $RSYSLOG_CONF - # rsyslog configuration file - -From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001 -From: Flos Lonicerae -Date: Sat, 21 May 2022 16:02:26 +0800 -Subject: [PATCH 08/15] Match glob() function of rsyslog - ---- - .../rsyslog_files_permissions/bash/shared.sh | 5 ++- - .../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++------- - .../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++------- - 3 files changed, 55 insertions(+), 28 deletions(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index cd5014105e9..38105bf086b 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS - declare -a RSYSLOG_CONFIG_FILES - for ENTRY in "${RSYSLOG_CONFIGS[@]}" - do -- # If directory, need to include files recursively -+ # If directory, rsyslog will search for config files in recursively. -+ # However, files in hidden sub-directories or hidden files will be ignored. - if [ -d "${ENTRY}" ] - then -- readarray -t FINDOUT < <(find "${ENTRY}" -type f) -+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) - RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") - elif [ -f "${ENTRY}" ] - then -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -index 755865ca522..a5a2f67fadc 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh - PERMS=0600 - - # setup test data --create_rsyslog_test_logs 4 -+create_rsyslog_test_logs 5 - - # setup test log files and permissions - chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} - chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} - chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} - chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} -+chmod $PERMS ${RSYSLOG_TEST_LOGS[4]} - --# create test configuration file -+# create test configuration files - conf_subdir=${RSYSLOG_TEST_DIR}/subdir -+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir - mkdir ${conf_subdir} --test_subdir_conf=${conf_subdir}/test_subdir.conf --test_conf=${RSYSLOG_TEST_DIR}/test.conf --test_bak=${RSYSLOG_TEST_DIR}/test.bak -+mkdir ${conf_hiddir} - --cat << EOF > ${test_subdir_conf} -+test_conf_in_subdir=${conf_subdir}/in_subdir.conf -+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak -+ -+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf -+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf -+ -+cat << EOF > ${test_conf_in_subdir} - # rsyslog configuration file --# test_subdir_conf - - #### RULES #### - --*.* ${RSYSLOG_TEST_LOGS[2]} -+*.* ${RSYSLOG_TEST_LOGS[1]} - EOF - --cat << EOF > ${test_conf} -+cat << EOF > ${test_conf_name_bak} - # rsyslog configuration file --# test_conf - - #### RULES #### - --*.* ${RSYSLOG_TEST_LOGS[1]} -+*.* ${RSYSLOG_TEST_LOGS[2]} - EOF - --cat << EOF > ${test_bak} -+cat << EOF > ${test_conf_in_hiddir} - # rsyslog configuration file --# test_bak -+# not used - - #### RULES #### - - *.* ${RSYSLOG_TEST_LOGS[3]} - EOF - -+cat << EOF > ${test_conf_dot_name} -+# rsyslog configuration file -+# not used -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[4]} -+EOF -+ - # create rsyslog.conf configuration file - cat << EOF > $RSYSLOG_CONF - # rsyslog configuration file -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -index 063b1a0cbe5..a9d0adfb727 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -@@ -10,48 +10,61 @@ PERMS_PASS=0600 - PERMS_FAIL=0601 - - # setup test data --create_rsyslog_test_logs 4 -+create_rsyslog_test_logs 5 - - # setup test log files and permissions - chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} - chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} - chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} - chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} -+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]} - --# create test configuration file -+# create test configuration files - conf_subdir=${RSYSLOG_TEST_DIR}/subdir -+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir - mkdir ${conf_subdir} --test_subdir_conf=${conf_subdir}/test_subdir.conf --test_conf=${RSYSLOG_TEST_DIR}/test.conf --test_bak=${RSYSLOG_TEST_DIR}/test.bak -+mkdir ${conf_hiddir} - --cat << EOF > ${test_subdir_conf} -+test_conf_in_subdir=${conf_subdir}/in_subdir.conf -+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak -+ -+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf -+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf -+ -+cat << EOF > ${test_conf_in_subdir} - # rsyslog configuration file --# test_subdir_conf - - #### RULES #### - --*.* ${RSYSLOG_TEST_LOGS[2]} -+*.* ${RSYSLOG_TEST_LOGS[1]} - EOF - --cat << EOF > ${test_conf} -+cat << EOF > ${test_conf_name_bak} - # rsyslog configuration file --# test_conf - - #### RULES #### - --*.* ${RSYSLOG_TEST_LOGS[1]} -+*.* ${RSYSLOG_TEST_LOGS[2]} - EOF - --cat << EOF > ${test_bak} -+cat << EOF > ${test_conf_in_hiddir} - # rsyslog configuration file --# test_bak -+# not used - - #### RULES #### - - *.* ${RSYSLOG_TEST_LOGS[3]} - EOF - -+cat << EOF > ${test_conf_dot_name} -+# rsyslog configuration file -+# not used -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[4]} -+EOF -+ - # create rsyslog.conf configuration file - cat << EOF > $RSYSLOG_CONF - # rsyslog configuration file - -From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001 -From: Flos Lonicerae -Date: Sun, 22 May 2022 21:10:16 +0800 -Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code - ---- - .../rsyslog_files_permissions/bash/shared.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index 38105bf086b..e1129e34c81 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -54,7 +54,7 @@ do - then - NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") - LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") -- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}") -+ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}") - CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") - MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") - # Since above sed command might return more than one item (delimited by newline), split the particular - -From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001 -From: Flos Lonicerae -Date: Tue, 24 May 2022 00:42:17 +0800 -Subject: [PATCH 10/15] Added platform. - ---- - .../tests/include_config_syntax_perms_0601.fail.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -index a9d0adfb727..fe4db0a3c91 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -@@ -1,5 +1,5 @@ - #!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle - - # Check rsyslog.conf with log file permissions 0600 from rules and - # log file permissions 0601 from $IncludeConfig fails. - -From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 10 Aug 2022 13:56:39 +0200 -Subject: [PATCH 11/15] Reset the arrays before using them - -When bash remediations for a profile are generated, it can happen that a -variable with same name is used for multiple remediations. -So let's reset the array before using it. ---- - .../rsyslog_files_permissions/bash/shared.sh | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index e1129e34c81..d1856ffbe7b 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf - declare -a LOG_FILE_PATHS - - # Array to hold all rsyslog config entries --declare -a RSYSLOG_CONFIGS --RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") -+RSYSLOG_CONFIGS=() -+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") - --# Array to hold all rsyslog config files --declare -a RSYSLOG_CONFIG_FILES -+# Get full list of files to be checked -+# RSYSLOG_CONFIGS may contain globs such as -+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule -+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. -+RSYSLOG_CONFIG_FILES=() - for ENTRY in "${RSYSLOG_CONFIGS[@]}" - do - # If directory, rsyslog will search for config files in recursively. - -From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 10 Aug 2022 14:55:37 +0200 -Subject: [PATCH 12/15] Don't parse hidden config files for Includes - -Let's follow rsyslog behavior and not capture process hidden config -files for includes. ---- - .../rsyslog_files_permissions/oval/shared.xml | 9 ++++ - ...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++ - 2 files changed, 62 insertions(+) - create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -index a04e6fd8900..d13177216c3 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -@@ -17,8 +17,17 @@ - /etc/rsyslog.conf - ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ - 1 -+ state_permissions_ignore_hidden_paths - - -+ -+ -+ ^.*\/\..*$ -+ -+ - - - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh -new file mode 100644 -index 00000000000..9b0185c6b2f ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh -@@ -0,0 +1,53 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 -+ -+# Check rsyslog.conf with log file permisssions 0600 from rules and -+# log file permissions 0601 from include() fails. -+ -+source $SHARED/rsyslog_log_utils.sh -+ -+PERMS_PASS=0600 -+PERMS_FAIL=0601 -+ -+# setup test data -+create_rsyslog_test_logs 3 -+ -+# setup test log files and permissions -+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} -+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} -+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} -+ -+# create test configuration file -+test_conf=${RSYSLOG_TEST_DIR}/test1.conf -+cat << EOF > ${test_conf} -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[1]} -+EOF -+ -+# create hidden test2 configuration file -+test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf -+cat << EOF > ${test_conf2} -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[2]} -+EOF -+ -+# create rsyslog.conf configuration file -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[0]} -+ -+#### MODULES #### -+ -+include(file="${test_conf}") -+ -+\$IncludeConfig ${test_conf2} -+EOF - -From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 10 Aug 2022 15:49:11 +0200 -Subject: [PATCH 13/15] Add test for for missing rsyslog included files - -The rsyslog conf file may include other config files. -If the included missing files are missing rsyslog will generate an -error, but will still continue working. -https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file - -There is not a good way of ensuring that all files defined in a list of paths exist. ---- - ...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++ - 1 file changed, 45 insertions(+) - create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh -new file mode 100644 -index 00000000000..b929f2a94ab ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh -@@ -0,0 +1,45 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 -+ -+# Check rsyslog.conf with log file permisssions 0600 from rules and -+# log file permissions 0601 from include() fails. -+ -+source $SHARED/rsyslog_log_utils.sh -+ -+PERMS_PASS=0600 -+PERMS_FAIL=0601 -+ -+# setup test data -+create_rsyslog_test_logs 3 -+ -+# setup test log files and permissions -+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} -+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} -+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} -+ -+# create test configuration file -+test_conf=${RSYSLOG_TEST_DIR}/test1.conf -+cat << EOF > ${test_conf} -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[1]} -+EOF -+ -+# Skip creation test2 configuration file -+ -+# create rsyslog.conf configuration file -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* ${RSYSLOG_TEST_LOGS[0]} -+ -+#### MODULES #### -+ -+include(file="${test_conf}") -+ -+\$IncludeConfig ${test_conf2} -+EOF - -From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 10 Aug 2022 21:47:18 +0200 -Subject: [PATCH 14/15] Align Ansible remediation with Bash - -The remediation now expands the glob expressions and doesn't collect -hidden files or directories to check for their permissions. ---- - .../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml -index 635b72f7352..c558bf46c71 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml -@@ -19,19 +19,26 @@ - shell: | - set -o pipefail - grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true -- register: include_config_output -+ register: rsyslog_old_inc - changed_when: False - - - name: "Get include files directives" - shell: | - set -o pipefail - grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true -- register: include_files_output -+ register: rsyslog_new_inc - changed_when: False - -+- name: "Expand glob expressions" -+ shell: | -+ set -o pipefail -+ eval printf '%s\\n' {{ item }} -+ register: include_config_output -+ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}" -+ - - name: "List all config files" -- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")" -- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}" -+ shell: find {{ item }} -not -path "*/.*" -type f -+ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}" - register: rsyslog_config_files - changed_when: False - - -From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 10 Aug 2022 21:56:05 +0200 -Subject: [PATCH 15/15] Ignore invalid or non existing include objects - -Let's not fail the task when the find doesn't find the include object. -When the include is a glob expression that doesn't evaluate to any file -the glob itself is used in find command. - -The Bash remediation prints a message for each include that is not a -file is not a directory or doesn't exist. ---- - .../rsyslog_files_permissions/ansible/shared.yml | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml -index c558bf46c71..3a9380cf13b 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml -@@ -40,6 +40,7 @@ - shell: find {{ item }} -not -path "*/.*" -type f - loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}" - register: rsyslog_config_files -+ failed_when: False - changed_when: False - - - name: "Extract log files" diff --git a/SOURCES/scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch b/SOURCES/scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch deleted file mode 100644 index 2ac4abd..0000000 --- a/SOURCES/scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 5 Aug 2022 11:45:15 +0200 -Subject: [PATCH 1/4] fix ospp references - ---- - linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml -index c151d3c4aa1..f9b46c51ddd 100644 ---- a/linux_os/guide/system/accounts/enable_authselect/rule.yml -+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml -@@ -34,6 +34,7 @@ references: - disa: CCI-000213 - hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth - nist: AC-3 -+ ospp: FIA_UAU.1,FIA_AFL.1 - srg: SRG-OS-000480-GPOS-00227 - - ocil: |- - -From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 5 Aug 2022 11:45:42 +0200 -Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp - ---- - products/rhel9/profiles/ospp.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index b47630c62b0..dcc41970043 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -115,7 +115,7 @@ selections: - - coredump_disable_storage - - coredump_disable_backtraces - - service_systemd-coredump_disabled -- - var_authselect_profile=sssd -+ - var_authselect_profile=minimal - - enable_authselect - - use_pam_wheel_for_su - - -From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 5 Aug 2022 11:45:54 +0200 -Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp - ---- - products/rhel8/profiles/ospp.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile -index 39ad1797c7a..ebec8a3a6f9 100644 ---- a/products/rhel8/profiles/ospp.profile -+++ b/products/rhel8/profiles/ospp.profile -@@ -220,7 +220,7 @@ selections: - - var_accounts_max_concurrent_login_sessions=10 - - accounts_max_concurrent_login_sessions - - securetty_root_login_console_only -- - var_authselect_profile=sssd -+ - var_authselect_profile=minimal - - enable_authselect - - var_password_pam_unix_remember=5 - - accounts_password_pam_unix_remember - -From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 5 Aug 2022 13:55:05 +0200 -Subject: [PATCH 4/4] update profile stability test - ---- - tests/data/profile_stability/rhel8/ospp.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index 5d73a8c6fef..21e93e310d5 100644 ---- a/tests/data/profile_stability/rhel8/ospp.profile -+++ b/tests/data/profile_stability/rhel8/ospp.profile -@@ -242,7 +242,7 @@ selections: - - var_slub_debug_options=P - - var_auditd_flush=incremental_async - - var_accounts_max_concurrent_login_sessions=10 --- var_authselect_profile=sssd -+- var_authselect_profile=minimal - - var_password_pam_unix_remember=5 - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted diff --git a/SOURCES/scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch b/SOURCES/scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch deleted file mode 100644 index 74d6823..0000000 --- a/SOURCES/scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch +++ /dev/null @@ -1,50 +0,0 @@ -From b36ecf8942ce8dea0c4a2b06b4607259deaf3613 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 10 Aug 2022 09:59:57 +0200 -Subject: [PATCH] switch rule grub2_disable_interactive_boot for - grub2_disable_recovery in rhel8 ospp - ---- - .../system/bootloader-grub2/grub2_disable_recovery/rule.yml | 1 + - products/rhel8/profiles/ospp.profile | 2 +- - tests/data/profile_stability/rhel8/ospp.profile | 2 +- - 4 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml -index 4f8d4ddcfde..fb126cbe7d8 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml -@@ -17,6 +17,7 @@ rationale: |- - severity: medium - - identifiers: -+ cce@rhel8: CCE-86006-4 - cce@rhel9: CCE-85986-8 - - references: -diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile -index ebec8a3a6f9..6e3b30f64bb 100644 ---- a/products/rhel8/profiles/ospp.profile -+++ b/products/rhel8/profiles/ospp.profile -@@ -304,7 +304,7 @@ selections: - ## Disable Unauthenticated Login (such as Guest Accounts) - ## FIA_UAU.1 - - require_singleuser_auth -- - grub2_disable_interactive_boot -+ - grub2_disable_recovery - - grub2_uefi_password - - no_empty_passwords - -diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index 21e93e310d5..267b66a4f89 100644 ---- a/tests/data/profile_stability/rhel8/ospp.profile -+++ b/tests/data/profile_stability/rhel8/ospp.profile -@@ -89,7 +89,7 @@ selections: - - ensure_redhat_gpgkey_installed - - grub2_audit_argument - - grub2_audit_backlog_limit_argument --- grub2_disable_interactive_boot -+- grub2_disable_recovery - - grub2_kernel_trust_cpu_rng - - grub2_page_poison_argument - - grub2_pti_argument diff --git a/SOURCES/scap-security-guide-0.1.64-sshd_ciphers_regex-PR_9486.patch b/SOURCES/scap-security-guide-0.1.64-sshd_ciphers_regex-PR_9486.patch deleted file mode 100644 index d535517..0000000 --- a/SOURCES/scap-security-guide-0.1.64-sshd_ciphers_regex-PR_9486.patch +++ /dev/null @@ -1,26 +0,0 @@ -From bd2128cdc6a657306b8c9644481346f0ab4411f6 Mon Sep 17 00:00:00 2001 -From: Edgar Aguilar -Date: Mon, 5 Sep 2022 11:07:33 -0500 -Subject: [PATCH] Update OVAL in openssh rule - -Update OVAL in harden_sshd_ciphers_opensshserver_conf_crypto_policy to -align it with generated conf by remediation - -Signed-off-by: Edgar Aguilar ---- - .../oval/shared.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml -index 53919eaae7f..21d4e716dbc 100644 ---- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml -@@ -16,7 +16,7 @@ - - - {{{ PATH }}} -- ^(?!#).*(-oCiphers=\S+).*$ -+ ^(?!#).*(-oCiphers=[^\s']+).*$ - 1 - - diff --git a/SOURCES/scap-security-guide-0.1.64-stig_aide-PR_9282.patch b/SOURCES/scap-security-guide-0.1.64-stig_aide-PR_9282.patch deleted file mode 100644 index 68471b6..0000000 --- a/SOURCES/scap-security-guide-0.1.64-stig_aide-PR_9282.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 95b79ffa7e9247bd65a92311b92e37b0d83e4432 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 2 Aug 2022 15:01:42 +0200 -Subject: [PATCH] Add rsyslogd to the list of tools check by aide - -RHEL products will also check for integrity of /usr/sbin/rsyslogd. ---- - .../aide/aide_check_audit_tools/ansible/shared.yml | 1 + - .../aide/aide_check_audit_tools/bash/shared.sh | 3 +-- - .../aide/aide_check_audit_tools/oval/shared.xml | 2 +- - .../aide/aide_check_audit_tools/tests/correct.pass.sh | 2 +- - .../aide_check_audit_tools/tests/correct_with_selinux.pass.sh | 2 +- - .../aide/aide_check_audit_tools/tests/not_config.fail.sh | 2 +- - 6 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml -index 9d1b7b675c9..5905ea8d0e6 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml -@@ -22,6 +22,7 @@ - - /usr/sbin/aureport - - /usr/sbin/ausearch - - /usr/sbin/autrace -+ {{% if product == 'ol8' or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}} - - - name: Ensure existing AIDE configuration for audit tools are correct - lineinfile: -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh -index d0a1ba2522f..a81e25c3950 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh -@@ -18,12 +18,11 @@ - {{% set auditfiles = auditfiles + ["/usr/sbin/audispd"] %}} - {{% endif %}} - --{{% if product == 'ol8' %}} -+{{% if product == 'ol8' or 'rhel' in product %}} - {{% set auditfiles = auditfiles + ["/usr/sbin/rsyslogd"] %}} - {{% endif %}} - - {{% for file in auditfiles %}} -- - if grep -i '^.*{{{file}}}.*$' {{{ aide_conf_path }}}; then - sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}} - else -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml -index 6ce56c1137a..ca9bf4f94d0 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml -@@ -11,7 +11,7 @@ - {{% if 'rhel' not in product and product != 'ol8' %}} - - {{% endif %}} -- {{% if product == 'ol8' %}} -+ {{% if product == 'ol8' or 'rhel' in product %}} - - {{% endif %}} - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh -index 756b88d8a23..071dde13295 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh -@@ -7,7 +7,7 @@ aide --init - - - declare -a bins --bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') -+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') - - for theFile in "${bins[@]}" - do -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh -index f3a2a126d3d..cb9bbfa7350 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh -@@ -4,7 +4,7 @@ - yum -y install aide - - declare -a bins --bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') -+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') - - for theFile in "${bins[@]}" - do -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh -index 4315cef2073..a22aecb0000 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh -@@ -6,7 +6,7 @@ yum -y install aide - aide --init - - declare -a bins --bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') -+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') - - for theFile in "${bins[@]}" - do diff --git a/SOURCES/scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch b/SOURCES/scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch deleted file mode 100644 index 7c0a252..0000000 --- a/SOURCES/scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch +++ /dev/null @@ -1,4490 +0,0 @@ -From 0addbba742ef5470e911d391eb738e9da79ce7b7 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 1 Aug 2022 14:43:21 +0200 -Subject: [PATCH 1/3] Update DISA RHEL8 STIG manual benchmark to V1R7 - ---- - ... => disa-stig-rhel8-v1r7-xccdf-manual.xml} | 437 ++++++++++-------- - 1 file changed, 233 insertions(+), 204 deletions(-) - rename shared/references/{disa-stig-rhel8-v1r6-xccdf-manual.xml => disa-stig-rhel8-v1r7-xccdf-manual.xml} (96%) - -diff --git a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml -similarity index 96% -rename from shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml -rename to shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml -index 849ab06f66d..a02819d3002 100644 ---- a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml -+++ b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml -@@ -1,4 +1,4 @@ --acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 27 Apr 20223.3.0.273751.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - - Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. - -@@ -849,7 +849,7 @@ $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf - - localpkg_gpgcheck =True - --If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. -+If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - - Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. - -@@ -867,7 +867,7 @@ kernel.kexec_load_disabled = 1 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify the operating system is configured to disable kernel image loading with the following commands: -+$ sudo sysctl --systemVerify the operating system is configured to disable kernel image loading with the following commands: - - Check the status of the kernel.kexec_load_disabled kernel parameter. - -@@ -885,7 +885,7 @@ $ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sy - - If "kernel.kexec_load_disabled" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010373RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. -+If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010373RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - - When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - -@@ -907,7 +907,7 @@ fs.protected_symlinks = 1 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify the operating system is configured to enable DAC on symlinks with the following commands: -+$ sudo sysctl --systemVerify the operating system is configured to enable DAC on symlinks with the following commands: - - Check the status of the fs.protected_symlinks kernel parameter. - -@@ -925,7 +925,7 @@ $ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl. - - If "fs.protected_symlinks" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010374RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. -+If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010374RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - - When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - -@@ -947,7 +947,7 @@ fs.protected_hardlinks = 1 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify the operating system is configured to enable DAC on hardlinks with the following commands: -+$ sudo sysctl --systemVerify the operating system is configured to enable DAC on hardlinks with the following commands: - - Check the status of the fs.protected_hardlinks kernel parameter. - -@@ -965,7 +965,7 @@ $ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl - - If "fs.protected_hardlinks" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. -+If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. - - This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. - -@@ -987,7 +987,7 @@ kernel.dmesg_restrict = 1 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: -+$ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: - - Check the status of the kernel.dmesg_restrict kernel parameter. - -@@ -1005,7 +1005,7 @@ $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl. - - If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. -+If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. - - This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. - -@@ -1027,7 +1027,7 @@ kernel.perf_event_paranoid = 2 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands: -+$ sudo sysctl --systemVerify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands: - - Check the status of the kernel.perf_event_paranoid kernel parameter. - -@@ -1045,15 +1045,25 @@ $ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sy - - If "kernel.perf_event_paranoid" is not set to "2", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010380RHEL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. -+If conflicting results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010380RHEL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. - - When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - --Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002038Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.Verify that "/etc/sudoers" has no occurrences of "NOPASSWD". -+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002038Configure the operating system to require users to supply a password for privilege escalation. -+ -+Check the configuration of the "/etc/sudoers" file with the following command: -+$ sudo visudo -+ -+Remove any occurrences of "NOPASSWD" tags in the file. -+ -+Check the configuration of the /etc/sudoers.d/* files with the following command: -+$ sudo grep -ir nopasswd /etc/sudoers.d -+ -+Remove any occurrences of "NOPASSWD" tags in the file.Verify that "/etc/sudoers" has no occurrences of "NOPASSWD". - - Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" by running the following command: - --$ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/* -+$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d - - %admin ALL=(ALL) NOPASSWD: ALL - -@@ -1222,7 +1232,7 @@ $ sudo grep slub_debug /etc/default/grub - - GRUB_CMDLINE_LINUX="slub_debug=P" - --If "slub_debug" is not set to "P", is missing or commented out, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-08-010430RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. -+If "slub_debug" is not set to "P", is missing or commented out, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-08-010430RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - - Examples of attacks are buffer overflow attacks. - -@@ -1240,7 +1250,7 @@ kernel.randomize_va_space=2 - - Issue the following command to make the changes take effect: - --$ sudo sysctl --systemVerify RHEL 8 implements ASLR with the following command: -+$ sudo sysctl --systemVerify RHEL 8 implements ASLR with the following command: - - $ sudo sysctl kernel.randomize_va_space - -@@ -1256,7 +1266,7 @@ $ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sys - - If "kernel.randomize_va_space" is not set to "2", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-08-010440YUM must remove all software components after updated versions have been installed on RHEL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002617Configure the operating system to remove all software components after updated versions have been installed. -+If conflicting results are returned, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-08-010440YUM must remove all software components after updated versions have been installed on RHEL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002617Configure the operating system to remove all software components after updated versions have been installed. - - Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.conf" file: - -@@ -1590,7 +1600,7 @@ Main PID: 1130 (code=exited, status=0/SUCCESS) - - If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). - --If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -1606,7 +1616,7 @@ kernel.core_pattern = |/bin/false - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: - - $ sudo sysctl kernel.core_pattern - -@@ -1622,24 +1632,26 @@ $ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/ - - If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -- --A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. -- --When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the systemd-coredump.socket with the following command: -- --$ sudo systemctl mask systemd-coredump.socket -- --Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null -- --Reload the daemon for this change to take effect. -- --$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to acquire, save, or process core dumps with the following command: -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+ -+A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. -+ -+When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the systemd-coredump.socket with the following commands: -+ -+$ sudo systemctl disable --now systemd-coredump.socket -+ -+$ sudo systemctl mask systemd-coredump.socket -+ -+Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null -+ -+Reload the daemon for this change to take effect. -+ -+$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to acquire, save, or process core dumps with the following command: - - $ sudo systemctl status systemd-coredump.socket - - systemd-coredump.socket --Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) -+Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) - Active: inactive (dead) - - If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010673RHEL 8 must disable core dumps for all users.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -2347,40 +2359,40 @@ $ sudo grep -i lock-command /etc/tmux.conf - - set -g lock-command vlock - --If the "lock-command" is not set in the global settings to call "vlock", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. -+If the "lock-command" is not set in the global settings to call "vlock", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - --Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. -+Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. - --Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: -+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: - --If [ "$PS1" ]; then -+if [ "$PS1" ]; then -+parent=$(ps -o ppid= -p $$) -+name=$(ps -o comm= -p $parent) -+case "$name" in (sshd|login) exec tmux ;; esac -+fi -+ -+This setting will take effect at next logon.Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: -+ -+Determine if tmux is currently running: -+$ sudo ps all | grep tmux | grep -v grep -+ -+If the command does not produce output, this is a finding. -+ -+Determine the location of the tmux script: -+$ sudo grep -r tmux /etc/bashrc /etc/profile.d -+ -+/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac -+ -+Review the tmux script by using the following example: -+$ sudo cat /etc/profile.d/tmux.sh -+if [ "$PS1" ]; then - parent=$(ps -o ppid= -p $$) - name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) exec tmux ;; esac - fi - --This setting will take effect at next logon.Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: -- --Determine if tmux is currently running: --$ sudo ps all | grep tmux | grep -v grep -- --If the command does not produce output, this is a finding. -- --Determine the location of the tmux script: --$ sudo grep tmux /etc/bashrc/etc/profile.d/* -- --/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac -- --Review the tmux script by using the following example: --$ sudo cat /etc/profile.d/tmux.sh --If [ "$PS1" ]; then --parent=$(ps -o ppid= -p $$) --name=$(ps -o comm= -p $parent) --case "$name" in (sshd|login) exec tmux ;; esac --fi -- - If "tmux" is not configured as the example above, is commented out, or is missing, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020042RHEL 8 must prevent users from disabling session control mechanisms.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. -@@ -2540,7 +2552,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality - - password required pam_pwquality.so - --If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2548,13 +2560,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th - - Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - --ucredit = -1Verify the value for "ucredit" in "/etc/security/pwquality.conf" with the following command: -+ucredit = -1Verify the value for "ucredit" with the following command: - --$ sudo grep ucredit /etc/security/pwquality.conf -+$ sudo grep -r ucredit /etc/security/pwquality.conf* - --ucredit = -1 -+/etc/security/pwquality.conf:ucredit = -1 - --If the value of "ucredit" is a positive number or is commented out, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-08-020120RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "ucredit" is a positive number or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-08-020120RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2562,13 +2575,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th - - Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - --lcredit = -1Verify the value for "lcredit" in "/etc/security/pwquality.conf" with the following command: -+lcredit = -1Verify the value for "lcredit" with the following command: - --$ sudo grep lcredit /etc/security/pwquality.conf -+$ sudo grep -r lcredit /etc/security/pwquality.conf* - --lcredit = -1 -+/etc/security/pwquality.conf:lcredit = -1 - --If the value of "lcredit" is a positive number or is commented out, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-08-020130RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "lcredit" is a positive number or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-08-020130RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2576,13 +2590,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note - - Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - --dcredit = -1Verify the value for "dcredit" in "/etc/security/pwquality.conf" with the following command: -+dcredit = -1Verify the value for "dcredit" with the following command: - --$ sudo grep dcredit /etc/security/pwquality.conf -+$ sudo grep -r dcredit /etc/security/pwquality.conf* - --dcredit = -1 -+/etc/security/pwquality.conf:dcredit = -1 - --If the value of "dcredit" is a positive number or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020140RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "dcredit" is a positive number or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020140RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2590,13 +2605,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - - Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): - --maxclassrepeat = 4Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: -+maxclassrepeat = 4Check for the value of the "maxclassrepeat" option with the following command: - --$ sudo grep maxclassrepeat /etc/security/pwquality.conf -+$ sudo grep -r maxclassrepeat /etc/security/pwquality.conf* - --maxclassrepeat = 4 -+/etc/security/pwquality.conf:maxclassrepeat = 4 - --If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020150RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020150RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2604,13 +2620,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - - Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): - --maxrepeat = 3Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: -+maxrepeat = 3Check for the value of the "maxrepeat" option with the following command: - --$ sudo grep maxrepeat /etc/security/pwquality.conf -+$ sudo grep -r maxrepeat /etc/security/pwquality.conf* - --maxrepeat = 3 -+/etc/security/pwquality.conf:maxrepeat = 3 - --If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020160RHEL 8 must require the change of at least four character classes when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020160RHEL 8 must require the change of at least four character classes when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2618,12 +2635,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - - Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): - --minclass = 4Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: -+minclass = 4Verify the value of the "minclass" option with the following command: -+ -+$ sudo grep -r minclass /etc/security/pwquality.conf* - --$ sudo grep minclass /etc/security/pwquality.conf --minclass = 4 -+/etc/security/pwquality.conf:minclass = 4 - --If the value of "minclass" is set to less than "4" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020170RHEL 8 must require the change of at least 8 characters when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "minclass" is set to less than "4" or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020170RHEL 8 must require the change of at least 8 characters when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2631,13 +2650,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - - Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - --difok = 8Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: -+difok = 8Verify the value of the "difok" option with the following command: - --$ sudo grep difok /etc/security/pwquality.conf -+$ sudo grep -r difok /etc/security/pwquality.conf* - --difok = 8 -+/etc/security/pwquality.conf:difok = 8 - --If the value of "difok" is set to less than "8" or is commented out, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-08-020180RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000198Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: -+If the value of "difok" is set to less than "8" or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-08-020180RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000198Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: - - $ sudo chage -m 1 [user]Check whether the minimum time period between password changes for each user account is one day or greater. - -@@ -2689,7 +2709,7 @@ $ sudo grep -i remember /etc/pam.d/password-auth - - password required pam_pwhistory.so use_authtok remember=5 retry=3 - --If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020230RHEL 8 passwords must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. -+If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020230RHEL 8 passwords must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - - Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. - -@@ -2701,14 +2721,16 @@ The DoD minimum password requirement is 15 characters.</VulnDiscussion>< - - Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - --minlen = 15Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. -+minlen = 15Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. - --Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command: -+Check for the value of the "minlen" option with the following command: - --$ sudo grep minlen /etc/security/pwquality.conf --minlen = 15 -+$ sudo grep -r minlen /etc/security/pwquality.conf* - --If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020231RHEL 8 passwords for new users must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. -+/etc/security/pwquality.conf:minlen = 15 -+ -+If the command does not return a "minlen" value of 15 or greater, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020231RHEL 8 passwords for new users must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - - Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. - -@@ -2804,7 +2826,7 @@ For every existing emergency account, run the following command to obtain its ac - $ sudo chage -l system_account_name - - Verify each of these accounts has an expiration date set within 72 hours. --If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-08-020280All RHEL 8 passwords must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-08-020280All RHEL 8 passwords must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2812,13 +2834,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note - - Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - --ocredit = -1Verify the value for "ocredit" in "/etc/security/pwquality.conf" with the following command: -+ocredit = -1Verify the value for "ocredit" with the following command: - --$ sudo grep ocredit /etc/security/pwquality.conf -+$ sudo grep -r ocredit /etc/security/pwquality.conf* - --ocredit = -1 -+/etc/security/pwquality.conf:ocredit = -1 - --If the value of "ocredit" is a positive number or is commented out, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>RHEL-08-020290RHEL 8 must prohibit the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable. -+If the value of "ocredit" is a positive number or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>RHEL-08-020290RHEL 8 must prohibit the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable. - - RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002007Configure the SSSD to prohibit the use of cached authentications after one day. - -@@ -2842,19 +2865,20 @@ $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf - - offline_credentials_expiration = 1 - --If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>RHEL-08-020300RHEL 8 must prevent the use of dictionary words for passwords.<VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent the use of dictionary words for passwords. -+If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>RHEL-08-020300RHEL 8 must prevent the use of dictionary words for passwords.<VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent the use of dictionary words for passwords. - - Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter: - --dictcheck=1Verify RHEL 8 prevents the use of dictionary words for passwords. -+dictcheck=1Verify RHEL 8 prevents the use of dictionary words for passwords. - --Determine if the field "dictcheck" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command: -+Determine if the field "dictcheck" is set with the following command: - --$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf -+$ sudo grep -r dictcheck /etc/security/pwquality.conf* - --dictcheck=1 -+/etc/security/pwquality.conf:dictcheck=1 - --If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>RHEL-08-020310RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. -+If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>RHEL-08-020310RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. - - Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. - -@@ -4281,7 +4305,7 @@ root /sbin/auditd - root /sbin/rsyslogd - root /sbin/augenrules - --If any of the audit tools are not group-owned by "root", this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>RHEL-08-030650RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. -+If any of the audit tools are not group-owned by "root", this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>RHEL-08-030650RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. - - Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - -@@ -4296,13 +4320,13 @@ To address this risk, audit tools must be cryptographically signed to provide th - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 --/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. -+/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. - - If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - - Check the selection lines to ensure AIDE is configured to add/check with the following command: - --$ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf -+$ sudo egrep '(\/usr\/sbin\/(audit|au|rsys))' /etc/aide.conf - - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 -@@ -4312,7 +4336,7 @@ $ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf - /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - --If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030660RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. -+If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030660RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. - - The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001849Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. - -@@ -4951,17 +4975,25 @@ p2p-dev-wlp7s0 wifi-p2p disconnected -- - lo loopback unmanaged -- - virbr0-nic tun unmanaged -- - --If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.SRG-OS-000300-GPOS-00118<GroupDescription></GroupDescription>RHEL-08-040111RHEL 8 Bluetooth must be disabled.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. -+If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.SRG-OS-000300-GPOS-00118<GroupDescription></GroupDescription>RHEL-08-040111RHEL 8 Bluetooth must be disabled.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. - - This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - --Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001443Configure the operating system to disable the Bluetooth adapter when not in use. -+Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001443Configure the operating system to disable the Bluetooth adapter when not in use. - - Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: - - install bluetooth /bin/true - --Reboot the system for the settings to take effect.If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. -+Disable the ability to use the Bluetooth kernel module. -+ -+$ sudo vi /etc/modprobe.d/blacklist.conf -+ -+Add or update the line: -+ -+blacklist bluetooth -+ -+Reboot the system for the settings to take effect.If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. - - This requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision. - -@@ -4971,7 +5003,15 @@ $ sudo grep bluetooth /etc/modprobe.d/* - - /etc/modprobe.d/bluetooth.conf:install bluetooth /bin/true - --If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040120RHEL 8 must mount /dev/shm with the nodev option.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. -+If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding. -+ -+Verify the operating system disables the ability to use Bluetooth with the following command: -+ -+$ sudo grep -r bluetooth /etc/modprobe.d | grep -i "blacklist" | grep -v "^#" -+ -+blacklist bluetooth -+ -+If the command does not return any output or the output is not "blacklist bluetooth", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040120RHEL 8 must mount /dev/shm with the nodev option.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -@@ -5361,15 +5401,17 @@ $ sudo grep -i RekeyLimit /etc/ssh/sshd_config - - RekeyLimit 1G 1h - --If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040170The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command: -- --$ sudo systemctl mask ctrl-alt-del.target -- --Created symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null -- --Reload the daemon for this change to take effect. -- --$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: -+If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040170The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: -+ -+$ sudo systemctl disable ctrl-alt-del.target -+ -+$ sudo systemctl mask ctrl-alt-del.target -+ -+Created symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null -+ -+Reload the daemon for this change to take effect. -+ -+$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: - - $ sudo systemctl status ctrl-alt-del.target - -@@ -5438,7 +5480,7 @@ If the account is associated with system commands or applications, the UID shoul - - $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd - --If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -+If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5454,7 +5496,7 @@ net.ipv6.conf.default.accept_redirects = 0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 will not accept IPv6 ICMP redirect messages. -+$ sudo sysctl --systemVerify RHEL 8 will not accept IPv6 ICMP redirect messages. - - Note: If IPv6 is disabled on the system, this requirement is Not Applicable. - -@@ -5474,7 +5516,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/ - - If "net.ipv6.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. - - There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. - -@@ -5492,9 +5534,7 @@ net.ipv4.conf.all.send_redirects=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not IPv4 ICMP redirect messages. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 does not IPv4 ICMP redirect messages. - - Check the value of the "all send_redirects" variables with the following command: - -@@ -5512,7 +5552,7 @@ $ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/ - - If "net.ipv4.conf.all.send_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. - - There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. -@@ -5529,9 +5569,7 @@ net.ipv4.icmp_echo_ignore_broadcasts=1 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. - - Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command: - -@@ -5549,7 +5587,7 @@ $ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/lo - - If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5565,7 +5603,7 @@ net.ipv6.conf.all.accept_source_route=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets. -+$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets. - - Note: If IPv6 is disabled on the system, this requirement is Not Applicable. - -@@ -5585,7 +5623,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/l - - If "net.ipv6.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5601,7 +5639,7 @@ net.ipv6.conf.default.accept_source_route=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets by default. -+$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets by default. - - Note: If IPv6 is disabled on the system, this requirement is Not Applicable. - -@@ -5621,7 +5659,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /u - - If "net.ipv6.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5637,7 +5675,7 @@ net.ipv6.conf.all.forwarding=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router. -+$ sudo sysctl --systemVerify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router. - - Note: If IPv6 is disabled on the system, this requirement is Not Applicable. - -@@ -5657,7 +5695,7 @@ $ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/ - - If "net.ipv6.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040261RHEL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040261RHEL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. - - An illicit router advertisement message could result in a man-in-the-middle attack. - -@@ -5675,7 +5713,7 @@ net.ipv6.conf.all.accept_ra=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. -+$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. - - Note: If IPv6 is disabled on the system, this requirement is not applicable. - -@@ -5695,7 +5733,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/s - - If "net.ipv6.conf.all.accept_ra" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040262RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040262RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. - - An illicit router advertisement message could result in a man-in-the-middle attack. - -@@ -5713,7 +5751,7 @@ net.ipv6.conf.default.accept_ra=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. -+$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. - - Note: If IPv6 is disabled on the system, this requirement is not applicable. - -@@ -5733,7 +5771,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/l - - If "net.ipv6.conf.default.accept_ra" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. - - There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. - -@@ -5751,9 +5789,7 @@ net.ipv4.conf.default.send_redirects = 0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. - - Check the value of the "default send_redirects" variables with the following command: - -@@ -5771,7 +5807,7 @@ $ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/lo - - If "net.ipv4.conf.default.send_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5787,7 +5823,7 @@ net.ipv6.conf.all.accept_redirects = 0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 ignores IPv6 ICMP redirect messages. -+$ sudo sysctl --systemVerify RHEL 8 ignores IPv6 ICMP redirect messages. - - Note: If IPv6 is disabled on the system, this requirement is Not Applicable. - -@@ -5807,7 +5843,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/loca - - If "net.ipv6.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5821,7 +5857,7 @@ kernel.unprivileged_bpf_disabled = 1 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: - - $ sudo sysctl kernel.unprivileged_bpf_disabled - -@@ -5837,7 +5873,7 @@ $ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/ - - If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5851,7 +5887,7 @@ kernel.yama.ptrace_scope = 1 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: - - $ sudo sysctl kernel.yama.ptrace_scope - -@@ -5867,7 +5903,7 @@ $ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysc - - If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5881,13 +5917,13 @@ kernel.kptr_restrict = 1 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 restricts exposed kernel pointer addresses access with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 restricts exposed kernel pointer addresses access with the following commands: - - $ sudo sysctl kernel.kptr_restrict - - kernel.kptr_restrict = 1 - --If the returned line does not have a value of "1", or a line is not returned, this is a finding. -+If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. - - Check that the configuration files are present to enable this network parameter. - -@@ -5895,9 +5931,9 @@ $ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d - - /etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1 - --If "kernel.kptr_restrict" is not set to "1", is missing or commented out, this is a finding. -+If "kernel.kptr_restrict" is not set to "1" or "2", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040284RHEL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040284RHEL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5913,7 +5949,7 @@ user.max_user_namespaces = 0 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 disables the use of user namespaces with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 disables the use of user namespaces with the following commands: - - Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. - -@@ -5931,7 +5967,7 @@ $ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysc - - If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5945,13 +5981,13 @@ net.ipv4.conf.all.rp_filter = 1 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: - - $ sudo sysctl net.ipv4.conf.all.rp_filter - - net.ipv4.conf.all.rp_filter = 1 - --If the returned line does not have a value of "1", or a line is not returned, this is a finding. -+If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. - - Check that the configuration files are present to enable this network parameter. - -@@ -5959,9 +5995,9 @@ $ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/s - - /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1 - --If "net.ipv4.conf.all.rp_filter" is not set to "1", is missing or commented out, this is a finding. -+If "net.ipv4.conf.all.rp_filter" is not set to "1" or "2", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: - - $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'Verify the system is configured to prevent unrestricted mail relaying. - -@@ -6155,23 +6191,22 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* - - If the either of the following entries are returned, this is a finding: - ALL ALL=(ALL) ALL --ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -+ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. - For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: - Defaults !targetpw - Defaults !rootpw --Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. -+Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. - --$ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' -+$ sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' - - /etc/sudoers:Defaults !targetpw - /etc/sudoers:Defaults !rootpw - /etc/sudoers:Defaults !runaspw - --If no results are returned, this is a finding. --If results are returned from more than one file location, this is a finding. -+If conflicting results are returned, this is a finding. - If "Defaults !targetpw" is not defined, this is a finding. - If "Defaults !rootpw" is not defined, this is a finding. --If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. -+If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - - When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. - -@@ -6181,12 +6216,12 @@ $ sudo visudo - - Add or modify the following line: - Defaults timestamp_timeout=[value] --Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. -+Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. - --$ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* -+$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d - /etc/sudoers:Defaults timestamp_timeout=0 - --If results are returned from more than one file location, this is a finding. -+If conflicting results are returned, this is a finding. - - If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010049RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -@@ -6735,7 +6770,7 @@ $ sudo yum list installed openssh-server - - openssh-server.x86_64 8.0p1-5.el8 @anaconda - --If the "SSH server" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040209RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -+If the "SSH server" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040209RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -6751,9 +6786,7 @@ net.ipv4.conf.default.accept_redirects = 0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 will not accept IPv4 ICMP redirect messages. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 will not accept IPv4 ICMP redirect messages. - - Check the value of the default "accept_redirects" variables with the following command: - -@@ -6771,7 +6804,7 @@ $ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/ - - If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040239RHEL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040239RHEL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -6787,9 +6820,7 @@ net.ipv4.conf.all.accept_source_route=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets. - - Check the value of the accept source route variable with the following command: - -@@ -6807,7 +6838,7 @@ $ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/l - - If "net.ipv4.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040249RHEL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040249RHEL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -6823,9 +6854,7 @@ net.ipv4.conf.default.accept_source_route=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets by default. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets by default. - - Check the value of the accept source route variable with the following command: - -@@ -6843,7 +6872,7 @@ $ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /u - - If "net.ipv4.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040279RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040279RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -6859,9 +6888,7 @@ net.ipv4.conf.all.accept_redirects = 0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 ignores IPv4 ICMP redirect messages. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 ignores IPv4 ICMP redirect messages. - - Check the value of the "accept_redirects" variables with the following command: - -@@ -6879,7 +6906,7 @@ $ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/loca - - If "net.ipv4.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040286RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040286RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users. - -@@ -6895,7 +6922,7 @@ net.core.bpf_jit_harden = 2 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 enables hardening for the BPF JIT with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 enables hardening for the BPF JIT with the following commands: - - $ sudo sysctl net.core.bpf_jit_harden - -@@ -6911,7 +6938,7 @@ $ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysct - - If "net.core.bpf_jit_harden" is not set to "2", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-08-010001The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001233Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. -+If conflicting results are returned, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-08-010001The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001233Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. - - Procedure: - Check that the following package has been installed: -@@ -6985,7 +7012,7 @@ $ sudo ls -Zd /var/log/faillock - - unconfined_u:object_r:faillog_t:s0 /var/log/faillock - --If the security context type of the non-default tally directory is not "faillog_t", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040259RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -+If the security context type of the non-default tally directory is not "faillog_t", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040259RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -7001,15 +7028,13 @@ net.ipv4.conf.all.forwarding=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. - - Check that IPv4 forwarding is disabled using the following command: - --$ sudo sysctl net.ipv4.ip_forward -+$ sudo sysctl net.ipv4.conf.all.forwarding - --net.ipv4.ip_forward = 0 -+net.ipv4.conf.all.forwarding = 0 - If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. - - Check that the configuration files are present to enable this network parameter. -@@ -7020,7 +7045,7 @@ $ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/ - - If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010121The RHEL 8 operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010121The RHEL 8 operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: - - Perform a password reset: - $ sudo passwd [username] -@@ -7071,8 +7096,8 @@ aide-0.16-14.el8.x86_64 - - If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - --If there is no application installed to perform integrity checks, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010379RHEL 8 must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. -- -+If there is no application installed to perform integrity checks, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010379RHEL 8 must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. -+ - It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. - - Edit the /etc/sudoers file with the following command: -@@ -7080,7 +7105,9 @@ Edit the /etc/sudoers file with the following command: - $ sudo visudo - - Add or modify the following line: --#includedir /etc/sudoers.dVerify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: -+#includedir /etc/sudoers.dNote: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. -+ -+Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: - - $ sudo grep include /etc/sudoers - -@@ -7090,7 +7117,7 @@ If the results are not "/etc/sudoers.d" or additional files or directories are s - - Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: - --$ sudo grep include /etc/sudoers.d/* -+$ sudo grep -r include /etc/sudoers.d - - If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010385The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -@@ -7163,7 +7190,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality - - password required pam_pwquality.so retry=3 - --If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. -+If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: - /etc/pam.d/password-auth -@@ -7172,18 +7199,20 @@ By limiting the number of attempts to meet the pwquality module complexity requi - - Add the following line to the "/etc/security/pwquality.conf" file(or modify the line to have the required value): - --retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. -+retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. - - Verify the operating system is configured to limit the "pwquality" retry option to 3. - - Check for the use of the "pwquality" retry option with the following command: - --$ sudo grep retry /etc/security/pwquality.conf -+$ sudo grep -r retry /etc/security/pwquality.conf* - --retry = 3 -+/etc/security/pwquality.conf:retry = 3 - - If the value of "retry" is set to "0" or greater than "3", is commented out or missing, this is a finding. - -+If conflicting results are returned, this is a finding. -+ - Check for the use of the "pwquality" retry option in the system-auth and password-auth files with the following command: - - $ sudo grep retry /etc/pam.d/system-auth /etc/pam.d/password-auth - -From feea7690b848d68c150712c841c74703b70e1a02 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 1 Aug 2022 14:46:19 +0200 -Subject: [PATCH 2/3] Update DISA STIG RHEL8 SCAP content to V1R6 - -The V1R6 SCAP content is aligned with the V1R7 manual benchmark. ---- - ...ml => disa-stig-rhel8-v1r6-xccdf-scap.xml} | 945 ++++++++++-------- - 1 file changed, 539 insertions(+), 406 deletions(-) - rename shared/references/{disa-stig-rhel8-v1r5-xccdf-scap.xml => disa-stig-rhel8-v1r6-xccdf-scap.xml} (96%) - -diff --git a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml -similarity index 96% -rename from shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml -rename to shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml -index 1bd2fb7b659..e87b16eb377 100644 ---- a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml -+++ b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml -@@ -1,36 +1,36 @@ - -- -- -+ -+ - -- -+ - -- -+ - - - - -- -+ - -- -+ - - - - -- -- -+ -+ - - -- -+ - - - Red Hat Enterprise Linux 8 -- oval:mil.disa.stig.rhel8:def:1 -+ oval:mil.disa.stig.rhel8:def:1 - - - -- -+ - -- accepted -+ accepted - Red Hat Enterprise Linux 8 Security Technical Implementation Guide - This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. - -@@ -40,11 +40,11 @@ - DISA - STIG.DOD.MIL - -- Release: 1.5 Benchmark Date: 27 Apr 2022 -+ Release: 1.6 Benchmark Date: 27 Jul 2022 - 3.3.0.27375 - 1.10.0 - -- 001.005 -+ 001.006 - - DISA - DISA -@@ -2189,15 +2189,15 @@ - - - -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ - - -- -+ - - - -@@ -2217,7 +2217,7 @@ - - - -- -+ - - - -@@ -2237,26 +2237,26 @@ - - - -- -+ - - -- -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ -+ - - - - - -- -+ - - -- -- -+ -+ - - - -@@ -2337,7 +2337,7 @@ - - - -- -+ - - - -@@ -2355,21 +2355,21 @@ - - - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - - - -@@ -2379,9 +2379,9 @@ - - - -- -- -- -+ -+ -+ - - - SRG-OS-000480-GPOS-00227 -@@ -2403,7 +2403,7 @@ Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise L - Upgrade to a supported version of RHEL 8. - - -- -+ - - - -@@ -2439,7 +2439,7 @@ $ sudo fips-mode-setup --enable - Reboot the system for the changes to take effect. - - -- -+ - - - -@@ -2469,7 +2469,7 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M - ENCRYPT_METHOD SHA512 - - -- -+ - - - -@@ -2493,7 +2493,7 @@ Passwords need to be protected at all times, and encryption is the standard meth - Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. - - -- -+ - - - -@@ -2521,7 +2521,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_ - SHA_CRYPT_MIN_ROUNDS 5000 - - -- -+ - - - -@@ -2549,7 +2549,7 @@ Enter password: - Confirm password: - - -- -+ - - - -@@ -2577,7 +2577,7 @@ Enter password: - Confirm password: - - -- -+ - - - -@@ -2601,7 +2601,7 @@ Confirm password: - ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - - -- -+ - - - -@@ -2631,7 +2631,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include - password sufficient pam_unix.so sha512 - - -- -+ - - - -@@ -2661,7 +2661,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - Remove any files with the .keytab extension from the operating system. - - -- -+ - - - -@@ -2691,7 +2691,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - $ sudo yum remove krb5-workstation - - -- -+ - - - -@@ -2717,7 +2717,7 @@ Policycoreutils contains the policy core utilities that are required for basic o - $ sudo yum install policycoreutils - - -- -+ - - - -@@ -2753,7 +2753,7 @@ In order for the changes to take effect, the SSH daemon must be restarted. - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -2779,7 +2779,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chmod 0640 /var/log/messages - - -- -+ - - - -@@ -2805,7 +2805,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chown root /var/log/messages - - -- -+ - - - -@@ -2831,7 +2831,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chgrp root /var/log/messages - - -- -+ - - - -@@ -2857,7 +2857,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chmod 0755 /var/log - - -- -+ - - - -@@ -2883,7 +2883,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chown root /var/log - - -- -+ - - - -@@ -2909,7 +2909,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chgrp root /var/log - - -- -+ - - - -@@ -2939,7 +2939,7 @@ SSH_USE_STRONG_RNG=32 - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -2977,7 +2977,7 @@ DTLS.MinProtocol = DTLSv1.2 - A reboot is required for the changes to take effect. - - -- -+ - - - -@@ -3005,7 +3005,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod - $ sudo chmod 755 [FILE] - - -- -+ - - - -@@ -3033,7 +3033,7 @@ Run the following command, replacing "[FILE]" with any system command file not o - $ sudo chown root [FILE] - - -- -+ - - - -@@ -3061,7 +3061,7 @@ Run the following command, replacing "[FILE]" with any system command file not g - $ sudo chgrp root [FILE] - - -- -+ - - - -@@ -3089,7 +3089,7 @@ Verifying the authenticity of the software prior to installation validates the i - gpgcheck=1 - - -- -+ - - - -@@ -3119,14 +3119,14 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file: - localpkg_gpgcheck=True - - -- -+ - - - - - SRG-OS-000366-GPOS-00153 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010372 - RHEL 8 must prevent the loading of a new kernel for later execution. - <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. -@@ -3159,14 +3159,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000312-GPOS-00122 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010373 - RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. - <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. -@@ -3203,14 +3203,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000312-GPOS-00122 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010374 - RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. - <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. -@@ -3247,14 +3247,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000138-GPOS-00069 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010375 - RHEL 8 must restrict access to the kernel message buffer. - <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. -@@ -3291,14 +3291,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000138-GPOS-00069 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010376 - RHEL 8 must prevent kernel profiling by unprivileged users. - <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. -@@ -3335,14 +3335,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010380 - RHEL 8 must require users to provide a password for privilege escalation. - <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. -@@ -3358,10 +3358,20 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO - 2921 - - CCI-002038 -- Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. -- -+ Configure the operating system to require users to supply a password for privilege escalation. -+ -+Check the configuration of the "/etc/sudoers" file with the following command: -+$ sudo visudo -+ -+Remove any occurrences of "NOPASSWD" tags in the file. -+ -+Check the configuration of the /etc/sudoers.d/* files with the following command: -+$ sudo grep -ir nopasswd /etc/sudoers.d -+ -+Remove any occurrences of "NOPASSWD" tags in the file. -+ - -- -+ - - - -@@ -3387,7 +3397,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO - Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. - - -- -+ - - - -@@ -3419,14 +3429,14 @@ This requirement only applies to components where this is specific to the functi - $ sudo yum install openssl-pkcs11 - - -- -+ - - - - - SRG-OS-000433-GPOS-00193 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010430 - RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. - <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. -@@ -3459,7 +3469,7 @@ Issue the following command to make the changes take effect: - $ sudo sysctl --system - - -- -+ - - - -@@ -3485,7 +3495,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con - clean_requirements_on_remove=True - - -- -+ - - - -@@ -3515,7 +3525,7 @@ SELINUXTYPE=targeted - A reboot is required for the changes to take effect. - - -- -+ - - - -@@ -3539,7 +3549,7 @@ A reboot is required for the changes to take effect. - $ sudo rm /etc/ssh/shosts.equiv - - -- -+ - - - -@@ -3563,7 +3573,7 @@ $ sudo rm /etc/ssh/shosts.equiv - $ sudo rm /[path]/[to]/[file]/.shosts - - -- -+ - - - -@@ -3591,7 +3601,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3619,7 +3629,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3647,7 +3657,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3673,7 +3683,7 @@ Compression no - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -3703,7 +3713,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3733,7 +3743,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3755,7 +3765,7 @@ $ sudo systemctl restart sshd.service - Migrate the "/var" path onto a separate file system. - - -- -+ - - - -@@ -3777,7 +3787,7 @@ $ sudo systemctl restart sshd.service - Migrate the "/var/log" path onto a separate file system. - - -- -+ - - - -@@ -3799,7 +3809,7 @@ $ sudo systemctl restart sshd.service - Migrate the system audit data path onto a separate file system. - - -- -+ - - - -@@ -3821,7 +3831,7 @@ $ sudo systemctl restart sshd.service - Migrate the "/tmp" directory onto a separate file system/partition. - - -- -+ - - - -@@ -3851,7 +3861,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3879,7 +3889,7 @@ $ sudo systemctl start rsyslog.service - $ sudo systemctl enable rsyslog.service - - -- -+ - - - -@@ -3901,7 +3911,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory. - - -- -+ - - - -@@ -3923,7 +3933,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. - - -- -+ - - - -@@ -3945,7 +3955,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. - - -- -+ - - - -@@ -3967,7 +3977,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS. - - -- -+ - - - -@@ -3989,14 +3999,14 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010671 - RHEL 8 must disable the kernel.core_pattern. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -4027,7 +4037,7 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - -@@ -4055,7 +4065,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con - * hard core 0 - - -- -+ - - - -@@ -4083,7 +4093,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: - Storage=none - - -- -+ - - - -@@ -4111,7 +4121,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: - ProcessSizeMax=0 - - -- -+ - - - -@@ -4135,7 +4145,7 @@ ProcessSizeMax=0 - CREATE_HOME yes - - -- -+ - - - -@@ -4165,7 +4175,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -4203,7 +4213,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4235,7 +4245,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - deny = 3 - - -- -+ - - - -@@ -4273,7 +4283,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4305,7 +4315,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - fail_interval = 900 - - -- -+ - - - -@@ -4343,7 +4353,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4375,7 +4385,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - unlock_time = 0 - - -- -+ - - - -@@ -4413,7 +4423,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4445,7 +4455,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - silent - - -- -+ - - - -@@ -4485,7 +4495,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4517,7 +4527,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - audit - - -- -+ - - - -@@ -4557,7 +4567,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4589,7 +4599,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - even_deny_root - - -- -+ - - - -@@ -4617,7 +4627,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con - * hard maxlogins 10 - - -- -+ - - - -@@ -4649,21 +4659,21 @@ Create a global configuration file "/etc/tmux.conf" and add the following line: - set -g lock-command vlock - - -- -+ - - - - - SRG-OS-000028-GPOS-00009 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020041 - RHEL 8 must ensure session control is automatically started at shell initialization. - <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - --Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. -+Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. - - Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - -@@ -4674,18 +4684,18 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion - 2921 - - CCI-000056 -- Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: -+ Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: - --If [ "$PS1" ]; then -+if [ "$PS1" ]; then - parent=$(ps -o ppid= -p $$) - name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) exec tmux ;; esac - fi - - This setting will take effect at next logon. -- -+ - -- -+ - - - -@@ -4713,7 +4723,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion - Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux. - - -- -+ - - - -@@ -4743,14 +4753,14 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin - password required pam_pwquality.so - - -- -+ - - - - - SRG-OS-000069-GPOS-00037 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020110 - RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4773,14 +4783,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - ucredit = -1 - - -- -+ - - - - - SRG-OS-000070-GPOS-00038 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020120 - RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4803,14 +4813,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - lcredit = -1 - - -- -+ - - - - - SRG-OS-000071-GPOS-00039 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020130 - RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4833,14 +4843,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - dcredit = -1 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020140 - RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4863,14 +4873,14 @@ Add the following line to "/etc/security/pwquality.conf" conf (or modify the lin - maxclassrepeat = 4 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020150 - RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4893,14 +4903,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin - maxrepeat = 3 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020160 - RHEL 8 must require the change of at least four character classes when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4923,14 +4933,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin - minclass = 4 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020170 - RHEL 8 must require the change of at least 8 characters when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4953,7 +4963,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to - difok = 8 - - -- -+ - - - -@@ -4977,7 +4987,7 @@ difok = 8 - $ sudo chage -m 1 [user] - - -- -+ - - - -@@ -5003,7 +5013,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ - PASS_MIN_DAYS 1 - - -- -+ - - - -@@ -5029,7 +5039,7 @@ Add, or modify the following line in the "/etc/login.defs" file: - PASS_MAX_DAYS 60 - - -- -+ - - - -@@ -5053,7 +5063,7 @@ PASS_MAX_DAYS 60 - $ sudo chage -M 60 [user] - - -- -+ - - - -@@ -5085,14 +5095,14 @@ Add the following line in "/etc/pam.d/password-auth" (or modify the line to have - password required pam_pwhistory.so use_authtok remember=5 retry=3 - - -- -+ - - - - - SRG-OS-000078-GPOS-00046 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020230 - RHEL 8 passwords must have a minimum of 15 characters. - <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. -@@ -5119,7 +5129,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to - minlen = 15 - - -- -+ - - - -@@ -5149,7 +5159,7 @@ Add, or modify the following line in the "/etc/login.defs" file: - PASS_MIN_LEN 15 - - -- -+ - - - -@@ -5179,14 +5189,14 @@ $ sudo useradd -D -f 35 - DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. - - -- -+ - - - - - SRG-OS-000266-GPOS-00101 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020280 - All RHEL 8 passwords must contain at least one special character. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -5209,14 +5219,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - ocredit = -1 - - -- -+ - - - - - SRG-OS-000480-GPOS-00225 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020300 - RHEL 8 must prevent the use of dictionary words for passwords. - <VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> -@@ -5235,7 +5245,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a - dictcheck=1 - - -- -+ - - - -@@ -5263,7 +5273,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr - FAIL_DELAY 4 - - -- -+ - - - -@@ -5291,7 +5301,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -5319,7 +5329,7 @@ PrintLastLog yes - The SSH service must be restarted for changes to "sshd_config" to take effect. - - -- -+ - - - -@@ -5345,7 +5355,7 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077 - UMASK 077 - - -- -+ - - - -@@ -5379,7 +5389,7 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5409,7 +5419,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator - action_mail_acct = root - - -- -+ - - - -@@ -5441,7 +5451,7 @@ disk_error_action = HALT - If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". - - -- -+ - - - -@@ -5475,7 +5485,7 @@ disk_full_action = HALT - If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". - - -- -+ - - - -@@ -5503,7 +5513,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file: - local_events = yes - - -- -+ - - - -@@ -5535,7 +5545,7 @@ name_format = hostname - The audit daemon must be restarted for changes to take effect. - - -- -+ - - - -@@ -5565,7 +5575,7 @@ log_format = ENRICHED - The audit daemon must be restarted for changes to take effect. - - -- -+ - - - -@@ -5593,7 +5603,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - log_group = root - - -- -+ - - - -@@ -5623,7 +5633,7 @@ $ sudo chown root [audit_log_file] - Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". - - -- -+ - - - -@@ -5651,7 +5661,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - log_group = root - - -- -+ - - - -@@ -5681,7 +5691,7 @@ $ sudo chown root [audit_log_directory] - Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - - -- -+ - - - -@@ -5711,7 +5721,7 @@ $ sudo chgrp root [audit_log_directory] - Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - - -- -+ - - - -@@ -5741,7 +5751,7 @@ $ sudo chmod 0700 [audit_log_directory] - Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". - - -- -+ - - - -@@ -5773,7 +5783,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system. - - -- -+ - - - -@@ -5803,7 +5813,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - --loginuid-immutable - - -- -+ - - - -@@ -5835,7 +5845,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5867,7 +5877,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5899,7 +5909,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5931,7 +5941,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5963,7 +5973,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5995,7 +6005,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6027,7 +6037,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6059,7 +6069,7 @@ Install the audit service (if the audit service is not already installed) with t - $ sudo yum install audit - - -- -+ - - - -@@ -6091,7 +6101,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6136,7 +6146,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6168,7 +6178,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6200,7 +6210,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6232,7 +6242,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6264,7 +6274,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6296,7 +6306,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6328,7 +6338,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6361,7 +6371,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6393,7 +6403,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6425,7 +6435,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6457,7 +6467,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6489,7 +6499,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6521,7 +6531,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6553,7 +6563,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6585,7 +6595,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6617,7 +6627,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6649,7 +6659,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6681,7 +6691,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6713,7 +6723,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6745,7 +6755,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6780,7 +6790,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6820,7 +6830,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6852,7 +6862,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6885,7 +6895,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6917,7 +6927,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6949,7 +6959,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6992,7 +7002,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7031,7 +7041,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7069,7 +7079,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7101,7 +7111,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7133,7 +7143,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7165,7 +7175,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7207,7 +7217,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7249,7 +7259,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7275,7 +7285,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules - $ sudo chmod 0640 /etc/audit/auditd.conf - - -- -+ - - - -@@ -7305,7 +7315,7 @@ $ sudo chmod 0755 [audit_tool] - Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode. - - -- -+ - - - -@@ -7337,7 +7347,7 @@ $ sudo chown root [audit_tool] - Replace "[audit_tool]" with each audit tool not owned by "root". - - -- -+ - - - -@@ -7369,7 +7379,7 @@ $ sudo chgrp root [audit_tool] - Replace "[audit_tool]" with each audit tool not group-owned by "root". - - -- -+ - - - -@@ -7404,7 +7414,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul - $ sudo yum install rsyslog - - -- -+ - - - -@@ -7439,7 +7449,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul - $ sudo yum install rsyslog-gnutls - - -- -+ - - - -@@ -7471,7 +7481,7 @@ overflow_action = syslog - The audit daemon must be restarted for changes to take effect. - - -- -+ - - - -@@ -7497,7 +7507,7 @@ space_left = 25% - Note: Option names and values in the auditd.conf file are case insensitive. - - -- -+ - - - -@@ -7527,7 +7537,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc - port 0 - - -- -+ - - - -@@ -7557,7 +7567,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc - cmdport 0 - - -- -+ - - - -@@ -7591,7 +7601,7 @@ If a privileged user were to log on using this service, the privileged user pass - $ sudo yum remove telnet-server - - -- -+ - - - -@@ -7621,7 +7631,7 @@ Verify the operating system is configured to disable non-essential capabilities. - $ sudo yum remove abrt* - - -- -+ - - - -@@ -7651,7 +7661,7 @@ Verify the operating system is configured to disable non-essential capabilities. - $ sudo yum remove sendmail - - -- -+ - - - -@@ -7683,7 +7693,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042</VulnDiscussion - $ sudo yum remove rsh-server - - -- -+ - - - -@@ -7716,7 +7726,7 @@ blacklist atm - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7749,7 +7759,7 @@ blacklist can - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7782,7 +7792,7 @@ blacklist sctp - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7815,7 +7825,7 @@ blacklist tipc - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7848,7 +7858,7 @@ blacklist cramfs - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7879,7 +7889,7 @@ blacklist firewire-core - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7910,14 +7920,14 @@ blacklist usb-storage - Reboot the system for the settings to take effect. - - -- -+ - - - - - SRG-OS-000300-GPOS-00118 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040111 - RHEL 8 Bluetooth must be disabled. - <VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. -@@ -7933,16 +7943,24 @@ Protecting the confidentiality and integrity of communications with wireless per - 2921 - - CCI-001443 -- Configure the operating system to disable the Bluetooth adapter when not in use. -+ Configure the operating system to disable the Bluetooth adapter when not in use. - - Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: - - install bluetooth /bin/true - -+Disable the ability to use the Bluetooth kernel module. -+ -+$ sudo vi /etc/modprobe.d/blacklist.conf -+ -+Add or update the line: -+ -+blacklist bluetooth -+ - Reboot the system for the settings to take effect. -- -+ - -- -+ - - - -@@ -7972,7 +7990,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8000,7 +8018,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8030,7 +8048,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8060,7 +8078,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8088,7 +8106,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8118,7 +8136,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8148,7 +8166,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8178,7 +8196,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8208,7 +8226,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8238,7 +8256,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8268,7 +8286,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8298,7 +8316,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8328,7 +8346,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8358,7 +8376,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8388,7 +8406,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8418,7 +8436,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO - $ sudo systemctl enable sshd.service - - -- -+ - - - -@@ -8454,7 +8472,7 @@ Restart the SSH daemon for the settings to take effect. - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -8482,7 +8500,7 @@ Reload the daemon for this change to take effect. - $ sudo systemctl daemon-reload - - -- -+ - - - -@@ -8506,7 +8524,7 @@ $ sudo systemctl daemon-reload - $ sudo yum remove tftp-server - - -- -+ - - - -@@ -8530,14 +8548,14 @@ $ sudo yum remove tftp-server - If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040210 - RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -@@ -8568,14 +8586,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040220 - RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. -@@ -8608,14 +8626,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040230 - RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. - <VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. -@@ -8647,14 +8665,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040240 - RHEL 8 must not forward IPv6 source-routed packets. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -@@ -8685,14 +8703,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040250 - RHEL 8 must not forward IPv6 source-routed packets by default. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -@@ -8723,14 +8741,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040260 - RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. - <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -@@ -8761,14 +8779,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040261 - RHEL 8 must not accept router advertisements on all IPv6 interfaces. - <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -@@ -8801,14 +8819,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040262 - RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. - <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -@@ -8841,14 +8859,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040270 - RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. -@@ -8881,14 +8899,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040280 - RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -@@ -8919,14 +8937,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040281 - RHEL 8 must disable access to network bpf syscall from unprivileged processes. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -8955,14 +8973,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040282 - RHEL 8 must restrict usage of ptrace to descendant processes. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -8991,14 +9009,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040283 - RHEL 8 must restrict exposed kernel pointer addresses access. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9027,14 +9045,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040284 - RHEL 8 must disable the use of user namespaces. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9065,14 +9083,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040285 - RHEL 8 must use reverse path filtering on all IPv4 interfaces. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9101,7 +9119,7 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - -@@ -9125,7 +9143,7 @@ $ sudo sysctl --system - $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' - - -- -+ - - - -@@ -9157,7 +9175,7 @@ The SSH service must be restarted for changes to take effect: - $ sudo systemctl restart sshd - - -- -+ - - - -@@ -9183,7 +9201,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us - X11UseLocalhost yes - - -- -+ - - - -@@ -9207,7 +9225,7 @@ X11UseLocalhost yes - server_args = -s /var/lib/tftpboot - - -- -+ - - - -@@ -9231,7 +9249,7 @@ server_args = -s /var/lib/tftpboot - $ sudo yum remove vsftpd - - -- -+ - - - -@@ -9259,7 +9277,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose - $ sudo yum remove gssproxy - - -- -+ - - - -@@ -9287,7 +9305,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI - $ sudo yum remove iprutils - - -- -+ - - - -@@ -9315,7 +9333,7 @@ The tuned package contains a daemon that tunes the system settings dynamically. - $ sudo yum remove tuned - - -- -+ - - - -@@ -9345,7 +9363,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - $ sudo yum remove krb5-server - - -- -+ - - - -@@ -9369,14 +9387,14 @@ ALL ALL=(ALL) ALL - ALL ALL=(ALL:ALL) ALL - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010383 - RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". - <VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -@@ -9395,14 +9413,14 @@ Defaults !rootpw - Defaults !runaspw - - -- -+ - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command. - <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. -@@ -9427,7 +9445,7 @@ Defaults timestamp_timeout=[value] - Note: The "[value]" must be a number that is greater than or equal to "0". - - -- -+ - - - -@@ -9451,7 +9469,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0". - - -- -+ - - - -@@ -9475,14 +9493,14 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p - Note: Manual changes to the listed file may be overwritten by the "authselect" program. - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040286 - RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9513,7 +9531,7 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - -@@ -9540,18 +9558,18 @@ Lock an account: - $ sudo passwd -l [username] - - -- -+ - - - - - -- -+ - - - repotool - 5.10 -- 2022-03-28T12:45:12 -+ 2022-06-28T15:27:20 - - - -@@ -11139,17 +11157,16 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note - - - -- -+ - -- RHEL-08-020300 - RHEL 8 must prevent the use of dictionary words for passwords. -+ RHEL-08-021400 - RHEL 8 must prevent the use of dictionary words for passwords. - - Red Hat Enterprise Linux 8 - - If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. - -- -+ - -- - - - -@@ -12630,7 +12647,7 @@ RHEL 8 incorporates OpenSSH as a default ssh provider. OpenSSH has been a 100 pe - - - -- -+ - - RHEL-08-040111 - RHEL 8 Bluetooth must be disabled. - -@@ -12644,6 +12661,7 @@ Protecting the confidentiality and integrity of communications with wireless per - - - -+ - - - -@@ -13523,7 +13541,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - - - -- -+ - - RHEL-08-010383 - RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". - -@@ -13533,21 +13551,21 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - For more information on each of the listed configurations, reference the sudoers(5) manual page. - - -- -+ - - - -- -+ - - - -- -+ - - - - - -- -+ - - RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command. - -@@ -13559,9 +13577,8 @@ When operating systems provide the capability to escalate a functional capabilit - - If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. - -- -- -- -+ -+ - - - -@@ -13876,7 +13893,7 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - - -@@ -14163,25 +14180,25 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -+ -+ - - -- -- -+ -+ - - - - - - -- -- -+ -+ - - - -- -- -+ -+ - - - -@@ -14189,8 +14206,8 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -+ -+ - - - -@@ -14228,8 +14245,8 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -+ -+ - - - -@@ -14245,12 +14262,8 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -- -- -- -- -+ -+ - - - -@@ -14788,6 +14801,9 @@ The sysctl --system command will load settings from all system configuration fil - - - -+ -+ -+ - - - -@@ -15031,29 +15047,33 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - -+ - -- -+ - - -+ - - - - - -- -+ - - - -- -+ - - -+ - -- -+ - - -+ - - - -@@ -15096,30 +15116,26 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -- -- -- -- -- -+ -+ - - - -@@ -15132,7 +15148,7 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - - -@@ -15426,12 +15442,14 @@ The sysctl --system command will load settings from all system configuration fil - oval:mil.disa.stig.rhel8:obj:13602 - - -- -+ -+ - /etc/sudoers - ^(?!#).*\s+NOPASSWD.*$ - 1 - -- -+ -+ - /etc/sudoers.d - ^.*$ - ^(?!#).*\s+NOPASSWD.*$ -@@ -15861,41 +15879,109 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*password\s+(?:required|requisite)\s+pam_pwquality\.so\b - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ -+ ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:19700 -+ oval:mil.disa.stig.rhel8:obj:19701 -+ -+ -+ -+ /etc/security -+ ^pwquality\.conf.*$ - ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -+ -+ ^/etc/security/pwquality\.conf.*$ -+ .* -+ ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:19800 -+ oval:mil.disa.stig.rhel8:obj:19801 -+ -+ - - /etc/security/pwquality.conf - ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*maxclassrepeat\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ -+ ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20000 -+ oval:mil.disa.stig.rhel8:obj:20001 -+ -+ -+ -+ /etc/security -+ ^pwquality\.conf.*$ - ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ ^/etc/security/pwquality\.conf.*$ -+ .* -+ ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20100 -+ oval:mil.disa.stig.rhel8:obj:20101 -+ -+ - - /etc/security/pwquality.conf - ^\s*minclass\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*difok\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ -+ ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20300 -+ oval:mil.disa.stig.rhel8:obj:20301 -+ -+ - - /etc/shadow - ^root:[^:]*:[^:]*:0*: -@@ -15959,11 +16045,24 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*password\s+(?:required|requisite)\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b - 1 - -- -- /etc/security/pwquality.conf -+ -+ ^/etc/security/pwquality\.conf.*$ -+ .* - ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ /etc/security -+ ^pwquality\.conf -+ ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20900 -+ oval:mil.disa.stig.rhel8:obj:20901 -+ -+ - - /etc/login.defs - ^\s*PASS_MIN_LEN\s+(\d+)\s*$ -@@ -15979,17 +16078,25 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/pwquality.conf.d/ -- ^.*\.conf$ -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ - ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ -+ oval:mil.disa.stig.rhel8:obj:21400 -+ oval:mil.disa.stig.rhel8:obj:21401 -+ -+ - - /etc/login.defs - ^\s*FAIL_DELAY\s+(\d+)\s*$ -@@ -16795,6 +16902,12 @@ The sysctl --system command will load settings from all system configuration fil - ^[ \t]*install[ \t]+bluetooth[ \t]+/bin/true[ \t]*$ - 1 - -+ -+ /etc/modprobe.d -+ .* -+ ^[ \t]*blacklist[ \t]+bluetooth[ \t]*$ -+ 1 -+ - - /dev/shm - -@@ -17240,17 +17353,25 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*Defaults\s+\!runaspw\s*$ - 1 - -- -+ -+ - /etc/sudoers -- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ -+ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ - 1 - -- -+ -+ - /etc/sudoers.d - ^.*$ -- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ -+ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ - 1 - -+ -+ -+ oval:mil.disa.stig.rhel8:obj:41600 -+ oval:mil.disa.stig.rhel8:obj:41601 -+ -+ - - /etc/pam.d/system-auth - \bnullok\b -@@ -17791,12 +17912,24 @@ The sysctl --system command will load settings from all system configuration fil - - 1 - -+ -+ 2 -+ -+ -+ 2 -+ - - 0 - - - 0 - -+ -+ 2 -+ -+ -+ 2 -+ - - ^(no|"no")$ - -@@ -17896,12 +18029,12 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - - repotool - 5.10 -- 2022-03-28T12:45:12 -+ 2022-06-28T15:27:20 - - - - -From b2b2dbba78bb1e182ddfe9e90bd8a8ae5cf33187 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 1 Aug 2022 14:49:09 +0200 -Subject: [PATCH 3/3] Update RHEL8 STIG to V1R7 - ---- - products/rhel8/profiles/stig.profile | 4 ++-- - products/rhel8/profiles/stig_gui.profile | 4 ++-- - tests/data/profile_stability/rhel8/stig.profile | 4 ++-- - tests/data/profile_stability/rhel8/stig_gui.profile | 4 ++-- - 4 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile -index 7adbfee5559..4b480bd2c11 100644 ---- a/products/rhel8/profiles/stig.profile -+++ b/products/rhel8/profiles/stig.profile -@@ -1,7 +1,7 @@ - documentation_complete: true - - metadata: -- version: V1R6 -+ version: V1R7 - SMEs: - - mab879 - - ggbecker -@@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' - - description: |- - This profile contains configuration checks that align to the -- DISA STIG for Red Hat Enterprise Linux 8 V1R6. -+ DISA STIG for Red Hat Enterprise Linux 8 V1R7. - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this - configuration baseline as applicable to the operating system tier of -diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile -index 665bc1e059d..fa8bc724a5d 100644 ---- a/products/rhel8/profiles/stig_gui.profile -+++ b/products/rhel8/profiles/stig_gui.profile -@@ -1,7 +1,7 @@ - documentation_complete: true - - metadata: -- version: V1R6 -+ version: V1R7 - SMEs: - - mab879 - - ggbecker -@@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' - - description: |- - This profile contains configuration checks that align to the -- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6. -+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7. - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this - configuration baseline as applicable to the operating system tier of -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 2a16a82889a..4bee72830d0 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -1,7 +1,7 @@ - title: DISA STIG for Red Hat Enterprise Linux 8 - description: 'This profile contains configuration checks that align to the - -- DISA STIG for Red Hat Enterprise Linux 8 V1R6. -+ DISA STIG for Red Hat Enterprise Linux 8 V1R7 - - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes -@@ -23,7 +23,7 @@ description: 'This profile contains configuration checks that align to the - - Red Hat Containers with a Red Hat Enterprise Linux 8 image' - extends: null - metadata: -- version: V1R6 -+ version: V1R7 - SMEs: - - mab879 - - ggbecker -diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile -index e79776f8e90..ece32d06a6f 100644 ---- a/tests/data/profile_stability/rhel8/stig_gui.profile -+++ b/tests/data/profile_stability/rhel8/stig_gui.profile -@@ -1,7 +1,7 @@ - title: DISA STIG with GUI for Red Hat Enterprise Linux 8 - description: 'This profile contains configuration checks that align to the - -- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6. -+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7. - - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes -@@ -34,7 +34,7 @@ description: 'This profile contains configuration checks that align to the - standard DISA STIG for Red Hat Enterprise Linux 8 profile.' - extends: null - metadata: -- version: V1R6 -+ version: V1R7 - SMEs: - - mab879 - - ggbecker diff --git a/SOURCES/scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch b/SOURCES/scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch deleted file mode 100644 index ce526cb..0000000 --- a/SOURCES/scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch +++ /dev/null @@ -1,187 +0,0 @@ -From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 1 Aug 2022 17:50:37 +0200 -Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding - -This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and -sysctl_net_ipv4_forward. ---- - .../rule.yml | 44 +++++++++++++++++++ - ...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++ - shared/references/cce-redhat-avail.txt | 1 - - 3 files changed, 61 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml - create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml -new file mode 100644 -index 00000000000..7b0066f7c29 ---- /dev/null -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml -@@ -0,0 +1,44 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces' -+ -+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}' -+ -+rationale: |- -+ IP forwarding permits the kernel to forward packets from one network -+ interface to another. The ability to forward packets between two networks is -+ only appropriate for systems acting as routers. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: CCE-86220-1 -+ -+references: -+ disa: CCI-000366 -+ nist: CM-6(b) -+ srg: SRG-OS-000480-GPOS-00227 -+ stigid@rhel8: RHEL-08-040259 -+ -+ocil_clause: 'IP forwarding value is "1" and the system is not router' -+ -+ocil: |- -+ {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}} -+ The ability to forward packets is only appropriate for routers. -+ -+fixtext: |- -+ Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands: -+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}} -+ -+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.' -+ -+platform: machine -+ -+template: -+ name: sysctl -+ vars: -+ sysctlvar: net.ipv4.conf.all.forwarding -+ datatype: int -+ -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var -new file mode 100644 -index 00000000000..2aedd6e6432 ---- /dev/null -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var -@@ -0,0 +1,17 @@ -+documentation_complete: true -+ -+title: net.ipv4.conf.all.forwarding -+ -+description: 'Toggle IPv4 Forwarding' -+ -+type: number -+ -+operator: equals -+ -+interactive: false -+ -+options: -+ default: "0" -+ disabled: "0" -+ enabled: 1 -+ -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 914233f06bf..3e14b73dd71 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -168,7 +168,6 @@ CCE-86216-9 - CCE-86217-7 - CCE-86218-5 - CCE-86219-3 --CCE-86220-1 - CCE-86221-9 - CCE-86222-7 - CCE-86223-5 - -From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 1 Aug 2022 17:53:32 +0200 -Subject: [PATCH 2/2] Better align with RHEL-08-040259 - -The item is about net.ipv4.conf.all.forwarding -The update to V1R7 made brought this misalignment to light. ---- - .../sysctl_net_ipv4_ip_forward/rule.yml | 1 - - products/rhel8/profiles/stig.profile | 2 +- - tests/data/profile_stability/rhel8/stig.profile | 4 ++-- - tests/data/profile_stability/rhel8/stig_gui.profile | 2 +- - 4 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -index 5c449db7f3a..7acfc0b05b6 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -@@ -45,7 +45,6 @@ references: - stigid@ol7: OL07-00-040740 - stigid@ol8: OL08-00-040260 - stigid@rhel7: RHEL-07-040740 -- stigid@rhel8: RHEL-08-040259 - stigid@sle12: SLES-12-030430 - stigid@sle15: SLES-15-040380 - -diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile -index 4b480bd2c11..6b44436a2b1 100644 ---- a/products/rhel8/profiles/stig.profile -+++ b/products/rhel8/profiles/stig.profile -@@ -1127,7 +1127,7 @@ selections: - - sysctl_net_ipv6_conf_default_accept_source_route - - # RHEL-08-040259 -- - sysctl_net_ipv4_ip_forward -+ - sysctl_net_ipv4_conf_all_forwarding - - # RHEL-08-040260 - - sysctl_net_ipv6_conf_all_forwarding -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 4bee72830d0..47f53a9d023 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -1,7 +1,7 @@ - title: DISA STIG for Red Hat Enterprise Linux 8 - description: 'This profile contains configuration checks that align to the - -- DISA STIG for Red Hat Enterprise Linux 8 V1R7 -+ DISA STIG for Red Hat Enterprise Linux 8 V1R7. - - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes -@@ -395,13 +395,13 @@ selections: - - sysctl_net_core_bpf_jit_harden - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_all_accept_source_route -+- sysctl_net_ipv4_conf_all_forwarding - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts --- sysctl_net_ipv4_ip_forward - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_all_accept_source_route -diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile -index ece32d06a6f..c4e60ddcde5 100644 ---- a/tests/data/profile_stability/rhel8/stig_gui.profile -+++ b/tests/data/profile_stability/rhel8/stig_gui.profile -@@ -405,13 +405,13 @@ selections: - - sysctl_net_core_bpf_jit_harden - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_all_accept_source_route -+- sysctl_net_ipv4_conf_all_forwarding - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts --- sysctl_net_ipv4_ip_forward - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_all_accept_source_route diff --git a/SOURCES/scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch b/SOURCES/scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch deleted file mode 100644 index 36aa0be..0000000 --- a/SOURCES/scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch +++ /dev/null @@ -1,89 +0,0 @@ -From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Tue, 9 Aug 2022 17:28:33 +0200 -Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG - profile. - ---- - .../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 1 + - .../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 + - products/rhel8/profiles/stig.profile | 14 +++++++------- - tests/data/profile_stability/rhel8/stig.profile | 2 ++ - .../data/profile_stability/rhel8/stig_gui.profile | 2 ++ - 5 files changed, 13 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -index 46ea0558a42..1e9c6172758 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -@@ -57,6 +57,7 @@ references: - stigid@ol7: OL07-00-040320 - stigid@ol8: OL08-00-010201 - stigid@rhel7: RHEL-07-040320 -+ stigid@rhel8: RHEL-08-010201 - stigid@sle12: SLES-12-030190 - stigid@sle15: SLES-15-010280 - stigid@ubuntu2004: UBTU-20-010037 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -index 0f0693ddc6c..f6e98a61d9a 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -@@ -53,6 +53,7 @@ references: - stigid@ol7: OL07-00-040340 - stigid@ol8: OL08-00-010200 - stigid@rhel7: RHEL-07-040340 -+ stigid@rhel8: RHEL-08-010200 - stigid@sle12: SLES-12-030191 - stigid@sle15: SLES-15-010320 - vmmsrg: SRG-OS-000480-VMM-002000 -diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile -index 6b44436a2b1..124b7520d3a 100644 ---- a/products/rhel8/profiles/stig.profile -+++ b/products/rhel8/profiles/stig.profile -@@ -170,13 +170,13 @@ selections: - # RHEL-08-010190 - - dir_perms_world_writable_sticky_bits - -- # These two items don't behave as they used to in RHEL8.6 and RHEL9 -- # anymore. They will be disabled for now until an alternative -- # solution is found. -- # # RHEL-08-010200 -- # - sshd_set_keepalive_0 -- # # RHEL-08-010201 -- # - sshd_set_idle_timeout -+ # Although these rules have a different behavior in RHEL>=8.6 -+ # they still need to be selected so it follows exactly what STIG -+ # states. -+ # RHEL-08-010200 -+ - sshd_set_keepalive_0 -+ # RHEL-08-010201 -+ - sshd_set_idle_timeout - - # RHEL-08-010210 - - file_permissions_var_log_messages -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 47f53a9d023..6c75d0ae1b1 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -369,6 +369,8 @@ selections: - - sshd_enable_warning_banner - - sshd_print_last_log - - sshd_rekey_limit -+- sshd_set_idle_timeout -+- sshd_set_keepalive_0 - - sshd_use_strong_rng - - sshd_x11_use_localhost - - sssd_certificate_verification -diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile -index c4e60ddcde5..8a7a469b940 100644 ---- a/tests/data/profile_stability/rhel8/stig_gui.profile -+++ b/tests/data/profile_stability/rhel8/stig_gui.profile -@@ -379,6 +379,8 @@ selections: - - sshd_enable_warning_banner - - sshd_print_last_log - - sshd_rekey_limit -+- sshd_set_idle_timeout -+- sshd_set_keepalive_0 - - sshd_use_strong_rng - - sshd_x11_use_localhost - - sssd_certificate_verification diff --git a/SOURCES/scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch b/SOURCES/scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch deleted file mode 100644 index da41301..0000000 --- a/SOURCES/scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 2 Aug 2022 15:57:52 +0200 -Subject: [PATCH 1/2] Accept sudoers files without includes as compliant - -Update rule sudoers_default_includedir to accept as compliant sudoers -files that don't have any #include or #includedir directive ---- - .../oval/shared.xml | 24 +++++++++++++++---- - .../sudo/sudoers_default_includedir/rule.yml | 8 ++++--- - ...cludedir.fail.sh => no_includedir.pass.sh} | 2 +- - 3 files changed, 26 insertions(+), 8 deletions(-) - rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%) - -diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -index 59cab0b89de..629fbe8c6d2 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -@@ -1,10 +1,16 @@ - - - {{{ oval_metadata("Check if sudo includes only the default includedir") }}} -- -- -- -- -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - - - -@@ -32,6 +38,16 @@ - 1 - - -+ -+ -+ -+ -+ /etc/sudoers -+ ^#includedir[\s]+.*$ -+ 1 -+ -+ - - -diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml -index aa2aaee19f8..83bfb0183bd 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml -@@ -8,9 +8,11 @@ description: |- - Administrators can configure authorized sudo users via drop-in files, and it is possible to include - other directories and configuration files from the file currently being parsed. - -- Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d. -- The /etc/sudoers should contain only one #includedir directive pointing to -- /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories. -+ Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, -+ or that no drop-in file is included. -+ Either the /etc/sudoers should contain only one #includedir directive pointing to -+ /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; -+ Or the /etc/sudoers should not contain any #include or #includedir directives. - Note that the '#' character doesn't denote a comment in the configuration file. - - rationale: |- -diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh -similarity index 51% -rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh -rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh -index 1e0ab8aea92..fe73cb25076 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh -+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh -@@ -1,4 +1,4 @@ - #!/bin/bash - # platform = multi_platform_all - --sed -i "/#includedir.*/d" /etc/sudoers -+sed -i "/#include(dir)?.*/d" /etc/sudoers - -From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 3 Aug 2022 12:01:12 +0200 -Subject: [PATCH 2/2] Improve definition's comments - ---- - .../software/sudo/sudoers_default_includedir/oval/shared.xml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -index 629fbe8c6d2..82095acc6ed 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -@@ -8,8 +8,8 @@ - - - -- -- -+ -+ - - - diff --git a/SOURCES/scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch b/SOURCES/scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch deleted file mode 100644 index 19343f2..0000000 --- a/SOURCES/scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch +++ /dev/null @@ -1,358 +0,0 @@ -From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 3 Aug 2022 09:57:33 +0200 -Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values - -This also removes value '0' from the list of possible configurations. -This change aligns the rule better with STIG. ---- - .../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 4 ++++ - .../tests/value_1.pass.sh | 10 ++++++++++ - .../tests/value_2.pass.sh | 10 ++++++++++ - .../sysctl_net_ipv4_conf_all_rp_filter_value.var | 2 +- - 4 files changed, 25 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh - create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -index 496a8491f32..697f79fa872 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -@@ -59,4 +59,8 @@ template: - name: sysctl - vars: - sysctlvar: net.ipv4.conf.all.rp_filter -+ sysctlval: -+ - '1' -+ - '2' -+ wrong_sysctlval_for_testing: "0" - datatype: int -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh -new file mode 100644 -index 00000000000..516bfaf1369 ---- /dev/null -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf -+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w net.ipv4.conf.all.rp_filter="1" -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh -new file mode 100644 -index 00000000000..ef1b8da0479 ---- /dev/null -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf -+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w net.ipv4.conf.all.rp_filter="2" -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var -index e3fc78e3f05..1eae854f6b0 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var -@@ -17,5 +17,5 @@ interactive: false - - options: - default: 1 -- disabled: "0" - enabled: 1 -+ loose: 2 - -From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 3 Aug 2022 10:53:40 +0200 -Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values - -This also removes value '0' from the list of possible configurations. -This change aligns the rule better with STIG. ---- - .../sysctl_kernel_kptr_restrict/rule.yml | 4 ++++ - .../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 10 ++++++++++ - .../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 10 ++++++++++ - .../sysctl_kernel_kptr_restrict_value.var | 1 - - 4 files changed, 24 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh - -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -index 1984b3c8691..5706eee0a0a 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -@@ -42,6 +42,10 @@ template: - name: sysctl - vars: - sysctlvar: kernel.kptr_restrict -+ sysctlval: -+ - '1' -+ - '2' -+ wrong_sysctlval_for_testing: "0" - datatype: int - - fixtext: |- -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh -new file mode 100644 -index 00000000000..e6efae48b25 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf -+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.kptr_restrict="1" -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh -new file mode 100644 -index 00000000000..be3f2b743ef ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf -+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.kptr_restrict="2" -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var -index 452328e3efd..268550de53d 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var -@@ -12,6 +12,5 @@ interactive: false - - options: - default: 1 -- 0: 0 - 1: 1 - 2: 2 - -From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 3 Aug 2022 11:08:34 +0200 -Subject: [PATCH 3/5] Remove variable selector that will result in error - -The rule only accepts values 1 or 2 as compliant, the XCCDF Variable -cannot have the value 0, it will never result in pass. ---- - .../sysctl_kernel_unprivileged_bpf_disabled_value.var | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -index b8bf965a255..cbfd9bafa91 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -@@ -13,6 +13,5 @@ interactive: false - - options: - default: 2 -- 0: "0" - 1: "1" - 2: "2" - -From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 3 Aug 2022 11:33:03 +0200 -Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol - -For now, the only STIGs I see that adopted this change were RHEL's and -OL's. ---- - .../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 2 ++ - .../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh | 1 + - .../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh | 1 + - .../sysctl_kernel_kptr_restrict/rule.yml | 2 ++ - .../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 1 + - .../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 1 + - 6 files changed, 8 insertions(+) - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -index 697f79fa872..f04ae37c13d 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -@@ -59,8 +59,10 @@ template: - name: sysctl - vars: - sysctlvar: net.ipv4.conf.all.rp_filter -+ {{% if 'ol' in product or 'rhel' in product %}} - sysctlval: - - '1' - - '2' - wrong_sysctlval_for_testing: "0" -+ {{% endif %}} - datatype: int -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh -index 516bfaf1369..583b70a3b97 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh -@@ -1,4 +1,5 @@ - #!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel - - # Clean sysctl config directories - rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh -index ef1b8da0479..ef545976dc6 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh -@@ -1,4 +1,5 @@ - #!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel - - # Clean sysctl config directories - rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -index 5706eee0a0a..f53e035effa 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -@@ -42,10 +42,12 @@ template: - name: sysctl - vars: - sysctlvar: kernel.kptr_restrict -+ {{% if 'ol' in product or 'rhel' in product %}} - sysctlval: - - '1' - - '2' - wrong_sysctlval_for_testing: "0" -+ {{% endif %}} - datatype: int - - fixtext: |- -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh -index e6efae48b25..70189666c16 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh -@@ -1,4 +1,5 @@ - #!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel - - # Clean sysctl config directories - rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh -index be3f2b743ef..209395fa9a1 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh -@@ -1,4 +1,5 @@ - #!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel - - # Clean sysctl config directories - rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* - -From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 3 Aug 2022 14:01:40 +0200 -Subject: [PATCH 5/5] Update OCIL check along with the rule - -The OCIL should should mention both compliant values. ---- - .../rule.yml | 29 +++++++++++++++++-- - .../sysctl_kernel_kptr_restrict/rule.yml | 29 ++++++++++++++++++- - 2 files changed, 55 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -index f04ae37c13d..4d31c6c3ebd 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -@@ -47,11 +47,36 @@ references: - stigid@rhel7: RHEL-07-040611 - stigid@rhel8: RHEL-08-040285 - --{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}} -+ocil: |- -+ The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried -+ by running the following command: -+
$ sysctl net.ipv4.conf.all.rp_filter
-+ The output of the command should indicate either: -+ net.ipv4.conf.all.rp_filter = 1 -+ or: -+ net.ipv4.conf.all.rp_filter = 2 -+ The output of the command should not indicate: -+ net.ipv4.conf.all.rp_filter = 0 -+ -+ The preferable way how to assure the runtime compliance is to have -+ correct persistent configuration, and rebooting the system. -+ -+ The persistent sysctl parameter configuration is performed by specifying the appropriate -+ assignment in any file located in the
/etc/sysctl.d
directory. -+ Verify that there is not any existing incorrect configuration by executing the following command: -+
$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d
-+ The command should not find any assignments other than: -+ net.ipv4.conf.all.rp_filter = 1 -+ or: -+ net.ipv4.conf.all.rp_filter = 2 -+ -+ Conflicting assignments are not allowed. -+ -+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0" - - fixtext: |- - Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces. -- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}} -+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}} - - srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.' - -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -index f53e035effa..367934b5672 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -@@ -34,6 +34,33 @@ references: - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} - -+ocil: |- -+ The runtime status of the kernel.kptr_restrict kernel parameter can be queried -+ by running the following command: -+
$ sysctl kernel.kptr_restrict
-+ The output of the command should indicate either: -+ kernel.kptr_restrict = 1 -+ or: -+ kernel.kptr_restrict = 2 -+ The output of the command should not indicate: -+ kernel.kptr_restrict = 0 -+ -+ The preferable way how to assure the runtime compliance is to have -+ correct persistent configuration, and rebooting the system. -+ -+ The persistent kernel parameter configuration is performed by specifying the appropriate -+ assignment in any file located in the
/etc/sysctl.d
directory. -+ Verify that there is not any existing incorrect configuration by executing the following command: -+
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
-+ The command should not find any assignments other than: -+ kernel.kptr_restrict = 1 -+ or: -+ kernel.kptr_restrict = 2 -+ -+ Conflicting assignments are not allowed. -+ -+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0" -+ - srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.' - - platform: machine -@@ -52,4 +79,4 @@ template: - - fixtext: |- - Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access. -- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}} -+ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}} diff --git a/SOURCES/scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch b/SOURCES/scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch deleted file mode 100644 index 1f8f5b0..0000000 --- a/SOURCES/scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch +++ /dev/null @@ -1,1888 +0,0 @@ -From 81c2f59f42ffa2cf5a611eaeccc40c802bedd6d7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 8 Jul 2022 17:51:57 +0200 -Subject: [PATCH 01/23] Remove a rule from RHEL 9 OSPP - -Remove rule sysctl_net_core_bpf_jit_harden from RHEL 9 OSPP. This rule -requires to set net.core.bpf_jit_harden value to 2, the RHEL 9 default -is 1. However, bpf_jit_harden=1 disables kallsyms access from bpf -programs and all users, and it turns on constants blinding by using -random value + XOR for CAP_BPF; so the only thing in which value 1 and 2 -differ is the constants blinding for CAP_SYS_ADMIN processes in the -initial user namespaces. The extra constants blinding with -bpf_jit_harden=2 does not really help with CVE mitigation. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2081728 ---- - products/rhel9/profiles/ospp.profile | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 244a421fb48..a7ba9532d2c 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -75,7 +75,6 @@ selections: - - sysctl_kernel_perf_event_paranoid - - sysctl_user_max_user_namespaces - - sysctl_kernel_unprivileged_bpf_disabled -- - sysctl_net_core_bpf_jit_harden - - service_kdump_disabled - - ### Audit - -From bdcd2bafe5dd68448c0fc13e1aa1be64df607c8f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 12 Jul 2022 11:24:42 +0200 -Subject: [PATCH 02/23] Rename IDs in sysctl OVAL template - -The sysctl template uses its sysctlvar parameter value as a part of OVAL -object IDs, test IDs and state IDs. That means we can't have multiple -rules using the sysctl template with the same value of sysctlvar -parameter (only differ in other parameters) because there would be -duplicate elements. We will fix this by using the rule ID as a part of -OVAL object IDs, test IDs and state IDs. That will allow to use the -template for the same sysctlvar in different rules. ---- - .../oval/sysctl_kernel_ipv6_disable.xml | 4 +- - shared/templates/sysctl/oval.template | 156 +++++++++--------- - 2 files changed, 80 insertions(+), 80 deletions(-) - -diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -index 1195cea518f..f971d28a047 100644 ---- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -@@ -19,8 +19,8 @@ - - - -- -- -+ -+ - - - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 74583dbee1d..52671c06402 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -5,8 +5,8 @@ - {{%- endif %}} - - {{% macro state_static_sysctld(prefix) -%}} -- -- -+ -+ - {{%- endmacro -%}} - {{%- macro sysctl_match() -%}} - {{%- if SYSCTLVAL == "" -%}} -@@ -20,13 +20,13 @@ - {{%- if "P" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - - -+ definition_ref="{{{ rule_id }}}_static"/> - -+ definition_ref="{{{ rule_id }}}_runtime"/> - - - -@@ -34,7 +34,7 @@ - {{%- elif "I" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - - {{% if product in ["ubuntu1604", "ubuntu1804"] %}} -@@ -46,9 +46,9 @@ - {{% endif %}} - - -+ definition_ref="{{{ rule_id }}}_static"/> - -+ definition_ref="{{{ rule_id }}}_runtime"/> - - - -@@ -58,33 +58,33 @@ - {{%- if "R" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} - - -+ test_ref="test_{{{ rule_id }}}_runtime"/> - - -- -- -- -+ -+ - - -- -+ - {{{ SYSCTLVAR }}} - - {{% if SYSCTLVAL == "" %}} -- -+ - -+ var_ref="{{{ rule_id }}}_value"/> - - -- - {{%- else %}} -- -+ - {{% if OPERATION == "pattern match" %}} - {{{ SYSCTLVAL_REGEX }}} -@@ -100,46 +100,46 @@ - {{%- if "S" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} - - - -+ test_ref="test_{{{ rule_id }}}_static"/> - - -+ test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/> - -+ test_ref="test_{{{ rule_id }}}_static_run_sysctld"/> - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - -+ test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/> - {{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} -- -+ - {{% endif %}} - - - -- - {{{ state_static_sysctld("sysctl") }}} - - -- - {{{ state_static_sysctld("etc_sysctld") }}} - - -- - {{{ state_static_sysctld("run_sysctld") }}} - - - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- - {{{ state_static_sysctld("usr_lib_sysctld") }}} -@@ -148,79 +148,79 @@ - - {{% if target_oval_version >= [5, 11] %}} - -- -- -+ id="test_{{{ rule_id }}}_defined_in_one_file" version="1"> -+ -+ - - -- -- local_var_unique_sysctl_{{{ SYSCTLID }}}_counter -+ -+ local_var_{{{ rule_id }}}_counter - - -- -+ - 1 - - -- -+ - - -- -+ - - - - -- -+ - -- object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}} -- state_{{{ SYSCTLID }}}_filepath_is_symlink -+ object_{{{ rule_id }}}_static_set_sysctls_unfiltered -+ state_{{{ rule_id }}}_filepath_is_symlink - - - -- -- -+ -+ - - -- -+ - -- -+ - -- -+ - - - -- -+ - -- var_obj_symlink_{{{ SYSCTLID }}} -- var_obj_blank_{{{ SYSCTLID }}} -+ var_obj_symlink_{{{ rule_id }}} -+ var_obj_blank_{{{ rule_id }}} - - - -- -- local_var_blank_path_{{{ SYSCTLID }}} -+ -+ local_var_blank_path_{{{ rule_id }}} - - -- -+ - - - -- -- local_var_symlinks_{{{ SYSCTLID }}} -+ -+ local_var_symlinks_{{{ rule_id }}} - -- -+ - -- -+ - -- -+ - - - - -- -- -- state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}} -+ -+ -+ state_symlink_points_outside_usual_dirs_{{{ rule_id }}} - - - -- -+ - ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ - - {{% endif %}} - -- -- -+ -+ - - - -- -+ - -- object_static_etc_sysctls_{{{ SYSCTLID }}} -- object_static_run_usr_sysctls_{{{ SYSCTLID }}} -+ object_static_etc_sysctls_{{{ rule_id }}} -+ object_static_run_usr_sysctls_{{{ rule_id }}} - - - -- -+ - -- object_static_sysctl_{{{ SYSCTLID }}} -- object_static_etc_sysctld_{{{ SYSCTLID }}} -+ object_static_sysctl_{{{ rule_id }}} -+ object_static_etc_sysctld_{{{ rule_id }}} - - - -- -+ - -- object_static_run_sysctld_{{{ SYSCTLID }}} -+ object_static_run_sysctld_{{{ rule_id }}} - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- object_static_usr_lib_sysctld_{{{ SYSCTLID }}} -+ object_static_usr_lib_sysctld_{{{ rule_id }}} - {{% endif %}} - - - -- -+ - /etc/sysctl.conf - {{{ sysctl_match() }}} - - -- -+ - /etc/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - - -- -+ - /run/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - - - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- -+ - /usr/lib/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} -@@ -288,15 +288,15 @@ - {{% endif %}} - {{% if SYSCTLVAL == "" %}} - -- -- -+ - - -- - {{% else %}} -- -+ - {{% if OPERATION == "pattern match" %}} - {{{ SYSCTLVAL_REGEX }}} - {{% else %}} - -From ee5d91aaf33504e56b6959c17c8ebc6006a17a5f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 10:16:45 +0200 -Subject: [PATCH 03/23] Use a list of values in sysctl template - -This patch adds an ability to use a list of values instead of a single -value in the sysctlval parameter of the sysctl template. This is useful -for situations when we want to create a rule that passes for multiple -different sysctl values. This commit modifies the OVAL for the runtime -configuration. The runtime configuration will be allowed to be any of -the values in the list. There is an OR relation between the values. In -fact, this is a first step to enable multiple values in the sysctlval -parameter in the sysctl template, because we will also need to check the -static configuration, which is not done in this commit. ---- - shared/templates/sysctl/oval.template | 32 +++++++++++++++++++++++++++ - shared/templates/sysctl/template.py | 24 ++++++++++++-------- - 2 files changed, 47 insertions(+), 9 deletions(-) - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 52671c06402..b73ccc94f72 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -1,5 +1,7 @@ - {{%- if SYSCTLVAL == "" %}} - {{%- set COMMENT_VALUE="the appropriate value" %}} -+{{%- elif SYSCTLVAL is sequence %}} -+{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} - {{%- else %}} - {{%- set COMMENT_VALUE=SYSCTLVAL %}} - {{%- endif %}} -@@ -60,21 +62,43 @@ - - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} -+{{% if SYSCTLVAL is string %}} - - - -+{{% elif SYSCTLVAL is sequence %}} -+ -+{{% for x in SYSCTLVAL %}} -+ -+{{% endfor %}} -+ -+{{% endif %}} - -+ -+{{% if SYSCTLVAL is string %}} - - - - -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ -+ -+ -+{{% endfor %}} -+{{% endif %}} - - - {{{ SYSCTLVAR }}} - -+{{% if SYSCTLVAL is string %}} - {{% if SYSCTLVAL == "" %}} - - - {{%- endif %}} -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ {{{ x }}} -+ -+{{% endfor %}} -+{{% endif %}} - - - {{%- endif -%}} -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index fa981a9dce9..c62591357c0 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -12,6 +12,13 @@ def preprocess(data, lang): - if "operation" not in data: - data["operation"] = "equals" - -+ if data["datatype"] not in ["string", "int"]: -+ raise ValueError( -+ "Test scenarios for data type '{0}' are not implemented yet.\n" -+ "Please check if rule '{1}' has correct data type and edit " -+ "{2} to add tests for it.".format( -+ data["datatype"], data["_rule_id"], __file__)) -+ - # Configure data for test scenarios - if data["sysctlval"] == "": - if data["datatype"] == "int": -@@ -20,20 +27,19 @@ def preprocess(data, lang): - elif data["datatype"] == "string": - data["sysctl_correct_value"] = "correct_value" - data["sysctl_wrong_value"] = "wrong_value" -- else: -+ elif isinstance(data["sysctlval"], list): -+ if len(data["sysctlval"]) == 0: - raise ValueError( -- "Test scenarios for data type '{0}' are not implemented yet.\n" -- "Please check if rule '{1}' has correct data type and edit " -- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) -+ "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) -+ data["sysctl_correct_value"] = data["sysctlval"][0] -+ if data["datatype"] == "int": -+ data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] -+ elif data["datatype"] == "string": -+ data["sysctl_wrong_value"] = "wrong_value" - else: - data["sysctl_correct_value"] = data["sysctlval"] - if data["datatype"] == "int": - data["sysctl_wrong_value"] = "1" + data["sysctlval"] - elif data["datatype"] == "string": - data["sysctl_wrong_value"] = "wrong_value" -- else: -- raise ValueError( -- "Test scenarios for data type '{0}' are not implemented yet.\n" -- "Please check if rule '{1}' has correct data type and edit " -- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) - return data - -From c50304234dfac1dcd74b3056c978eec2c097216d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 10:47:51 +0200 -Subject: [PATCH 04/23] Move check unrelated to the test scenarios - -The check for an mepty list is unrelated to the test scenarios, -rather is a generic check to avoid problems during the build. -Therefore, it shouldn't be inside code block that is handling -data for test scenarios, but can be extracted to a sooner position. ---- - shared/templates/sysctl/template.py | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index c62591357c0..421e42c6ca1 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -11,7 +11,12 @@ def preprocess(data, lang): - data["flags"] = "SR" + ipv6_flag - if "operation" not in data: - data["operation"] = "equals" -+ if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0: -+ raise ValueError( -+ "The sysctlval parameter of {0} is an empty list".format( -+ data["_rule_id"])) - -+ # Configure data for test scenarios - if data["datatype"] not in ["string", "int"]: - raise ValueError( - "Test scenarios for data type '{0}' are not implemented yet.\n" -@@ -19,7 +24,6 @@ def preprocess(data, lang): - "{2} to add tests for it.".format( - data["datatype"], data["_rule_id"], __file__)) - -- # Configure data for test scenarios - if data["sysctlval"] == "": - if data["datatype"] == "int": - data["sysctl_correct_value"] = "0" -@@ -28,9 +32,6 @@ def preprocess(data, lang): - data["sysctl_correct_value"] = "correct_value" - data["sysctl_wrong_value"] = "wrong_value" - elif isinstance(data["sysctlval"], list): -- if len(data["sysctlval"]) == 0: -- raise ValueError( -- "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) - data["sysctl_correct_value"] = data["sysctlval"][0] - if data["datatype"] == "int": - data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] - -From eb1fe4f349e2dcadd9b870e074e679383601be62 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 11:57:50 +0200 -Subject: [PATCH 05/23] Allow multiple values in sysctl static configuration - -This extends the OVAL checks for sysctl static configuration -to enable a list of values instead of a single value in the -sysctlval parameter of the sysctl template. The template -will generate OVAL tests for each value in the sysctlval -list. ---- - shared/templates/sysctl/oval.template | 56 +++++++++++++++++++++++++++ - 1 file changed, 56 insertions(+) - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index b73ccc94f72..4e1bf3cfce3 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -136,6 +136,7 @@ - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} - - -+{{% if SYSCTLVAL is string %}} - - -@@ -146,6 +147,21 @@ - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - -+{{% endif %}} -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ -+ -+ -+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -+ -+{{% endif %}} -+{{% endfor %}} - {{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} -@@ -154,6 +170,7 @@ - - - -+{{% if SYSCTLVAL is string %}} - -@@ -177,6 +194,37 @@ - {{{ state_static_sysctld("usr_lib_sysctld") }}} - - {{% endif %}} -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -+ -+ -+ -+ -+{{% endif %}} -+{{% endfor %}} -+{{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} - - {{% endif %}} -+{{% if SYSCTLVAL is string %}} - {{% if SYSCTLVAL == "" %}} - - -@@ -336,5 +385,12 @@ - {{% endif %}} - - {{% endif %}} -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ {{{ x }}} -+ -+{{% endfor %}} -+{{% endif %}} - - {{%- endif -%}} - -From 93d496fb8dda6c47707e27c0b2cad15616261f27 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 14:55:28 +0200 -Subject: [PATCH 06/23] Add option to allow system default - -Introduce new template option `missing_static_pass` to the -systemctl template. If this option is set to `"true"` in rule.yml -the OVAL will be generated in a way that the check will pass if -there is no sysctl static configuration option in the watched sysctl -configuration files. In other words, the OVAL check will pass if -the system default isn't overridden. ---- - shared/templates/sysctl/oval.template | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 4e1bf3cfce3..1719a59f9c7 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -134,6 +134,9 @@ - - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} -+{{% if MISSING_STATIC_PASS == "true" %}} -+ -+{{% endif %}} - - - {{% if SYSCTLVAL is string %}} -@@ -168,8 +171,20 @@ - - {{% endif %}} - -+{{% if MISSING_STATIC_PASS == "true" %}} -+ -+ -+{{% endif %}} - - -+{{% if MISSING_STATIC_PASS == "true" %}} -+ -+ -+ -+{{% endif %}} -+ - {{% if SYSCTLVAL is string %}} - -Date: Wed, 13 Jul 2022 17:02:35 +0200 -Subject: [PATCH 07/23] Accept multiple values in the sysctl remediation - -A new parameter sysctlval_remediate is introduced to the sysctl -template. This allows to choose which of the multiple values in -the sysctl list will be used in the Bash and Ansible remediations. ---- - docs/templates/template_reference.md | 8 ++++++++ - shared/templates/sysctl/ansible.template | 6 +++--- - shared/templates/sysctl/bash.template | 10 +++++----- - shared/templates/sysctl/template.py | 9 +++++++++ - 4 files changed, 25 insertions(+), 8 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index a439e3dca94..5785f1d453f 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -818,6 +818,14 @@ The selected value can be changed in the profile (consult the actual variable fo - - **sysctlval** - value of the sysctl value, eg. `'1'`. If this - parameter is not specified, XCCDF Value is used instead. - -+ - **sysctlval_remediate** - the value that will be used in remediations. -+ If **sysctlval_remediate** is not specified, the template will use the -+ value of the **sysctlval** parameter in the remediations. -+ This parameter is mandatory when the **sysctlval** parameter is a list -+ because we need to know which of the values in the list the system -+ should be remedied to. When the **sysctlval** parameter is not a list -+ this parameter is optional. -+ - - **operation** - operation used for comparison of collected object - with **sysctlval**. Default value: `equals`. - -diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template -index c13bb6637fe..7724db5e5ff 100644 ---- a/shared/templates/sysctl/ansible.template -+++ b/shared/templates/sysctl/ansible.template -@@ -21,7 +21,7 @@ - replace: '#{{{ SYSCTLVAR }}}' - loop: "{{ find_sysctl_d.files }}" - --{{%- if SYSCTLVAL == "" %}} -+{{%- if SYSCTLVAL_REMEDIATE == "" %}} - - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - - - name: Ensure sysctl {{{ SYSCTLVAR }}} is set -@@ -29,10 +29,10 @@ - name: "{{{ SYSCTLVAR }}}" - value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" - {{%- else %}} --- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} -+- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} - sysctl: - name: "{{{ SYSCTLVAR }}}" -- value: "{{{ SYSCTLVAL }}}" -+ value: "{{{ SYSCTLVAL_REMEDIATE }}}" - {{%- endif %}} - state: present - reload: yes -diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template -index d67a59c3886..63948bd5a26 100644 ---- a/shared/templates/sysctl/bash.template -+++ b/shared/templates/sysctl/bash.template -@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do - fi - done - --{{%- if SYSCTLVAL == "" %}} -+{{%- if SYSCTLVAL_REMEDIATE == "" %}} - {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} - - # -@@ -38,11 +38,11 @@ done - # - # Set runtime for {{{ SYSCTLVAR }}} - # --/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" -+/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" - - # --# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" --# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf -+# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" -+# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf - # --{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} -+{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} - {{%- endif %}} -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index 421e42c6ca1..2574d5d42b0 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -16,6 +16,15 @@ def preprocess(data, lang): - "The sysctlval parameter of {0} is an empty list".format( - data["_rule_id"])) - -+ if not data.get("sysctlval_remediate"): -+ if isinstance(data["sysctlval"], list): -+ raise ValueError( -+ "Problem with rule {0}: the 'sysctlval' parameter is a list " -+ "but we are missing the 'sysctlval_remediate' parameter, so " -+ "we don't know how to generate remediation content.".format( -+ data["_rule_id"])) -+ data["sysctlval_remediate"] = data["sysctlval"] -+ - # Configure data for test scenarios - if data["datatype"] not in ["string", "int"]: - raise ValueError( - -From 8a3ba3f74760b360e179da221acf7bb06f4bdc12 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 17:10:16 +0200 -Subject: [PATCH 08/23] Introduce new rule - sysctl_kernel_unprivileged_bpf_disabled_accept_default - -This rule is very similar to the existing rule -sysctl_kernel_unprivileged_bpf_disabled, but it allows the sysctl -setting kernel.unprivileged_bpf_disabled to be either 1 or 2. Also, the -rule will pass when the explicit configuration isn't present, allowing -to honor the system's default value which is 2. The goal of this rule is -to prevent unnecessary modification of the RHEL system default value -while still checking for the secure configuration. - -See the explanation in -https://bugzilla.redhat.com/show_bug.cgi?id=2081728: -sysctl_kernel_unprivileged_bpf_disabled sets the -kernel.unprivileged_bpf_disabled value to 1. However, on RHEL 9 the -kernel supports new value 2 which per -https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled -makes it for a privileged admin to re-enable unprivileged BPF. The value -2 is also the RHEL 9 default. So the current -sysctl_kernel_unprivileged_bpf_disabled rule unnecessarily modifies -the RHEL 9 default. ---- - .../rule.yml | 82 +++++++++++++++++++ - shared/references/cce-redhat-avail.txt | 1 - - 2 files changed, 82 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -new file mode 100644 -index 00000000000..f45769dd2d0 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -0,0 +1,82 @@ -+documentation_complete: true -+ -+prodtype: rhel9 -+ -+title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes' -+ -+description: |- -+ To prevent unprivileged processes from using the bpf() syscall -+ the kernel.unprivileged_bpf_disabled kernel parameter must -+ be set to 1 or 2. -+ -+ Writing 1 to this entry will disable unprivileged calls to bpf(); once -+ disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. -+ Once set to 1, this can't be cleared from the running kernel anymore. -+ -+ Writing 2 to this entry will also disable unprivileged calls to bpf(), -+ however, an admin can still change this setting later on, if needed, by -+ writing 0 or 1 to this entry. -+ -+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} -+ -+rationale: |- -+ Loading and accessing the packet filters programs and maps using the bpf() -+ syscall has the potential of revealing sensitive information about the kernel state. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel9: CCE-87712-6 -+ -+references: -+ disa: CCI-000366 -+ nist: AC-6,SC-7(10) -+ ospp: FMT_SMF_EXT.1 -+ srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 -+ stigid@ol8: OL08-00-040281 -+ stigid@rhel8: RHEL-08-040281 -+ -+ocil: |- -+ The runtime status of the kernel.unprivileged_bpf_disabled -+ kernel parameter can be queried by running the following command: -+
$ sysctl kernel.unprivileged_bpf_disabled
-+ The output of the command should indicate either: -+ kernel.unprivileged_bpf_disabled = 1 -+ or: -+ kernel.unprivileged_bpf_disabled = 2 -+ The output of the command should not indicate: -+ kernel.unprivileged_bpf_disabled = 0 -+ -+ The preferable way how to assure the runtime compliance is to have -+ correct persistent configuration, and rebooting the system. -+ -+ The persistent kernel parameter configuration is performed by specifying the appropriate -+ assignment in any file located in the
/etc/sysctl.d
directory. -+ Verify that there is not any existing incorrect configuration by executing the following command: -+
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
-+ The command should not find any assignments other than: -+ kernel.unprivileged_bpf_disabled = 1 -+ or: -+ kernel.unprivileged_bpf_disabled = 2 -+ -+ Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2. -+ -+ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" -+ -+fixtext: |- -+ Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. -+ -+srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' -+ -+platform: machine -+ -+template: -+ name: sysctl -+ vars: -+ sysctlvar: kernel.unprivileged_bpf_disabled -+ sysctlval: -+ - '1' -+ - '2' -+ sysctlval_remediate: "2" -+ missing_static_pass: "true" -+ datatype: int -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 914233f06bf..2c2cf12cafe 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -1435,7 +1435,6 @@ CCE-87708-4 - CCE-87709-2 - CCE-87710-0 - CCE-87711-8 --CCE-87712-6 - CCE-87713-4 - CCE-87714-2 - CCE-87715-9 - -From 0327b48990c2cf35aeff8adf63a2102378e43c54 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 17:21:50 +0200 -Subject: [PATCH 09/23] Add test scenarios for rule - sysctl_kernel_unprivileged_bpf_disabled_accept_default - ---- - .../tests/system_default.pass.sh | 5 +++++ - .../tests/test_config.yml | 6 ++++++ - .../tests/value_0.fail.sh | 11 +++++++++++ - .../tests/value_1.pass.sh | 11 +++++++++++ - .../tests/value_2.pass.sh | 11 +++++++++++ - 5 files changed, 44 insertions(+) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh -new file mode 100644 -index 00000000000..b9776227bdb ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -new file mode 100644 -index 00000000000..dbac89b4caa ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -@@ -0,0 +1,6 @@ -+deny_templated_scenarios: -+ - line_not_there.fail.sh -+ - comment.fail.sh -+ - wrong_value.fail.sh -+ - wrong_value_d_directory.fail.sh -+ - wrong_runtime.fail.sh -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh -new file mode 100644 -index 00000000000..9f19e0140b4 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="0" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh -new file mode 100644 -index 00000000000..e976db594c8 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="1" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh -new file mode 100644 -index 00000000000..b1537175eb4 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="2" - -From 52415b3effb7bf80038b8d866982fd44c8c45312 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 14 Jul 2022 09:14:53 +0200 -Subject: [PATCH 10/23] Use rule - sysctl_kernel_unprivileged_bpf_disabled_accept_default - -Use rule sysctl_kernel_unprivileged_bpf_disabled_accept_default -instead of the rule sysctl_kernel_unprivileged_bpf_disabled -in the RHEL 9 OSPP profile. ---- - products/rhel9/profiles/ospp.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index a7ba9532d2c..19e4878c4b0 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -74,7 +74,7 @@ selections: - - sysctl_kernel_yama_ptrace_scope - - sysctl_kernel_perf_event_paranoid - - sysctl_user_max_user_namespaces -- - sysctl_kernel_unprivileged_bpf_disabled -+ - sysctl_kernel_unprivileged_bpf_disabled_accept_default - - service_kdump_disabled - - ### Audit - -From 4ff536a006a9d25c9c90a1b1e5fce0f957c51c28 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 14 Jul 2022 09:25:26 +0200 -Subject: [PATCH 11/23] Document that sysctlval can be a list - ---- - docs/templates/template_reference.md | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 5785f1d453f..716407fd5c9 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -815,7 +815,8 @@ The selected value can be changed in the profile (consult the actual variable fo - - - **datatype** - data type of the sysctl value, eg. `int`. - -- - **sysctlval** - value of the sysctl value, eg. `'1'`. If this -+ - **sysctlval** - value of the sysctl value. This can be either an atomic -+ value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this - parameter is not specified, XCCDF Value is used instead. - - - **sysctlval_remediate** - the value that will be used in remediations. - -From df27fec11a6e8037288ee8cf5b7bfc7d05537f33 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 14 Jul 2022 11:00:59 +0200 -Subject: [PATCH 12/23] Document the missing_static_pass option - ---- - docs/templates/template_reference.md | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 716407fd5c9..65da697b808 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -827,6 +827,11 @@ The selected value can be changed in the profile (consult the actual variable fo - should be remedied to. When the **sysctlval** parameter is not a list - this parameter is optional. - -+ - **missing_static_pass** - if set to `true` the check will pass if the -+ setting for the given **sysctlvar** is not present in sysctl -+ configuration files. In other words, the check will pass if the system -+ default isn't overriden by configuration. Default value: `false`. -+ - - **operation** - operation used for comparison of collected object - with **sysctlval**. Default value: `equals`. - - -From e8b8497d32d84282d7f34d83f3661c02235d33cb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 14 Jul 2022 11:03:53 +0200 -Subject: [PATCH 13/23] Introduce sysctlval_wrong parameter - -When the `sysctalval` parameter is a list, this parameter will be -substitued into the SYSCTL_WRONG_VALUE parameter in test scenarios. This -is better than current computing of the SYSCTL_WRONG_VALUE parameter -which is done by prepending "1" to the string value, because the -computed value could be invalid and the `sysctl -w` command used in the -test scenario wrong_runtime.fail.sh could fail to set the value to -SYSCTL_WRONG_VALUE therefore not changing the runtime. If at the same -time the `missing_static_pass` is set to `true` and the system is set to -system default, then the unchanged runtime would cause the check to pass -and therefore the test scenario wrong_runtime.fail.sh to error. ---- - docs/templates/template_reference.md | 3 +++ - .../rule.yml | 1 + - shared/templates/sysctl/template.py | 7 ++----- - 3 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 65da697b808..7e1fc7049cf 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -827,6 +827,9 @@ The selected value can be changed in the profile (consult the actual variable fo - should be remedied to. When the **sysctlval** parameter is not a list - this parameter is optional. - -+ - **sysctlval_wrong** - the value that is always wrong. This will be used -+ only in the test scenarios only if **sysctlval** is a list. -+ - - **missing_static_pass** - if set to `true` the check will pass if the - setting for the given **sysctlvar** is not present in sysctl - configuration files. In other words, the check will pass if the system -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index f45769dd2d0..ddff15dff8f 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -78,5 +78,6 @@ template: - - '1' - - '2' - sysctlval_remediate: "2" -+ sysctlval_wrong: "0" - missing_static_pass: "true" - datatype: int -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index 2574d5d42b0..96663694997 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -41,11 +41,8 @@ def preprocess(data, lang): - data["sysctl_correct_value"] = "correct_value" - data["sysctl_wrong_value"] = "wrong_value" - elif isinstance(data["sysctlval"], list): -- data["sysctl_correct_value"] = data["sysctlval"][0] -- if data["datatype"] == "int": -- data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] -- elif data["datatype"] == "string": -- data["sysctl_wrong_value"] = "wrong_value" -+ data["sysctl_correct_value"] = data["sysctlval_remediate"] -+ data["sysctl_wrong_value"] = data["sysctlval_wrong"] - else: - data["sysctl_correct_value"] = data["sysctlval"] - if data["datatype"] == "int": - -From 5f391a7053f7ce18dd34c45a1d319d65b78348d4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 14 Jul 2022 11:23:59 +0200 -Subject: [PATCH 14/23] Change test_config.yml - ---- - .../tests/test_config.yml | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -index dbac89b4caa..c379680e25c 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -@@ -1,6 +1,6 @@ - deny_templated_scenarios: -+ # this rule uses missing_static_pass: true which means the check should pass -+ # if the configuration is missing (or commented out) therefore we disable -+ # line_not_there.fail.sh and comment.fail.sh test scenarios - - line_not_there.fail.sh - - comment.fail.sh -- - wrong_value.fail.sh -- - wrong_value_d_directory.fail.sh -- - wrong_runtime.fail.sh - -From 92207a9bd11df0e69bf732e27fb91e5db270f7f6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 15 Jul 2022 10:36:05 +0200 -Subject: [PATCH 15/23] Simplify sysctl template - -Instead of using multiple OVAL tests in OR relation we can have -a single OVAL test containing multiple OVAL states in OR relation. -That will simplify the code. ---- - shared/templates/sysctl/oval.template | 82 +++++---------------------- - 1 file changed, 13 insertions(+), 69 deletions(-) - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 1719a59f9c7..8241c391ad2 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -8,7 +8,13 @@ - - {{% macro state_static_sysctld(prefix) -%}} - -+{{% if SYSCTLVAL is string %}} - -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+{{% endfor %}} -+{{% endif %}} - {{%- endmacro -%}} - {{%- macro sysctl_match() -%}} - {{%- if SYSCTLVAL == "" -%}} -@@ -62,38 +68,24 @@ - - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} --{{% if SYSCTLVAL is string %}} - - - --{{% elif SYSCTLVAL is sequence %}} -- --{{% for x in SYSCTLVAL %}} -- --{{% endfor %}} -- --{{% endif %}} - - --{{% if SYSCTLVAL is string %}} - -+ check="all" check_existence="all_exist" state_operator="OR"> - -+{{% if SYSCTLVAL is string %}} - -- - {{% elif SYSCTLVAL is sequence %}} - {{% for x in SYSCTLVAL %}} -- -- - -- - {{% endfor %}} - {{% endif %}} -+ - - - {{{ SYSCTLVAR }}} -@@ -139,7 +131,6 @@ - {{% endif %}} - - --{{% if SYSCTLVAL is string %}} - - -@@ -150,21 +141,6 @@ - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - --{{% endif %}} --{{% elif SYSCTLVAL is sequence %}} --{{% for x in SYSCTLVAL %}} -- -- -- -- --{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- --{{% endif %}} --{{% endfor %}} - {{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} -@@ -185,61 +161,29 @@ -
- {{% endif %}} - --{{% if SYSCTLVAL is string %}} - -+ comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR"> - {{{ state_static_sysctld("sysctl") }}} - - - -+ comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR"> - {{{ state_static_sysctld("etc_sysctld") }}} - - - -+ comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR"> - {{{ state_static_sysctld("run_sysctld") }}} - - - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - -+ comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR"> - {{{ state_static_sysctld("usr_lib_sysctld") }}} - - {{% endif %}} --{{% elif SYSCTLVAL is sequence %}} --{{% for x in SYSCTLVAL %}} -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- -- -- -- --{{% endif %}} --{{% endfor %}} --{{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} - -Date: Mon, 25 Jul 2022 15:40:24 +0200 -Subject: [PATCH 16/23] Replace the sysctlval_remediate template parameter - -Replace the sysctlval_remediate template parameter by using an XCCDF -value. The variable would be only used in the remediation and would -allow users to tailor the value, instead of the current solution where -the value is hardcoded and can be only changed during build time. ---- - docs/templates/template_reference.md | 21 +++++++++---------- - .../rule.yml | 1 - - products/rhel9/profiles/ospp.profile | 1 + - shared/templates/sysctl/ansible.template | 6 +++--- - shared/templates/sysctl/bash.template | 10 ++++----- - shared/templates/sysctl/template.py | 11 +--------- - 6 files changed, 20 insertions(+), 30 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 7e1fc7049cf..00f991daae7 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -815,17 +815,16 @@ The selected value can be changed in the profile (consult the actual variable fo - - - **datatype** - data type of the sysctl value, eg. `int`. - -- - **sysctlval** - value of the sysctl value. This can be either an atomic -- value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this -- parameter is not specified, XCCDF Value is used instead. -- -- - **sysctlval_remediate** - the value that will be used in remediations. -- If **sysctlval_remediate** is not specified, the template will use the -- value of the **sysctlval** parameter in the remediations. -- This parameter is mandatory when the **sysctlval** parameter is a list -- because we need to know which of the values in the list the system -- should be remedied to. When the **sysctlval** parameter is not a list -- this parameter is optional. -+ - **sysctlval** - value of the sysctl value. This can be either not -+ specified, or an atomic value, eg. `'1'`, or a list of values, -+ eg. `['1','2']`. -+ - If this parameter is not specified, an XCCDF Value is used instead -+ in OVAL check and remediations. -+ - If this parameter is set to an atomic value, this atomic value -+ will be used in OVAL check and remediations. -+ - If this parameter is set to a list of values, the list will be used -+ in the OVAL check, but won't be used in the remediations. -+ All remediations will use an XCCDF value instead. - - - **sysctlval_wrong** - the value that is always wrong. This will be used - only in the test scenarios only if **sysctlval** is a list. -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index ddff15dff8f..9936ed777c8 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -77,7 +77,6 @@ template: - sysctlval: - - '1' - - '2' -- sysctlval_remediate: "2" - sysctlval_wrong: "0" - missing_static_pass: "true" - datatype: int -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 19e4878c4b0..b47630c62b0 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -75,6 +75,7 @@ selections: - - sysctl_kernel_perf_event_paranoid - - sysctl_user_max_user_namespaces - - sysctl_kernel_unprivileged_bpf_disabled_accept_default -+ - sysctl_kernel_unprivileged_bpf_disabled_value=2 - - service_kdump_disabled - - ### Audit -diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template -index 7724db5e5ff..edc4d3fb667 100644 ---- a/shared/templates/sysctl/ansible.template -+++ b/shared/templates/sysctl/ansible.template -@@ -21,7 +21,7 @@ - replace: '#{{{ SYSCTLVAR }}}' - loop: "{{ find_sysctl_d.files }}" - --{{%- if SYSCTLVAL_REMEDIATE == "" %}} -+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} - - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - - - name: Ensure sysctl {{{ SYSCTLVAR }}} is set -@@ -29,10 +29,10 @@ - name: "{{{ SYSCTLVAR }}}" - value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" - {{%- else %}} --- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} -+- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} - sysctl: - name: "{{{ SYSCTLVAR }}}" -- value: "{{{ SYSCTLVAL_REMEDIATE }}}" -+ value: "{{{ SYSCTLVAL }}}" - {{%- endif %}} - state: present - reload: yes -diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template -index 63948bd5a26..cd3424b0228 100644 ---- a/shared/templates/sysctl/bash.template -+++ b/shared/templates/sysctl/bash.template -@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do - fi - done - --{{%- if SYSCTLVAL_REMEDIATE == "" %}} -+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} - {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} - - # -@@ -38,11 +38,11 @@ done - # - # Set runtime for {{{ SYSCTLVAR }}} - # --/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" -+/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" - - # --# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" --# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf -+# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" -+# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf - # --{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} -+{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} - {{%- endif %}} -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index 96663694997..2b779f99a62 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -16,15 +16,6 @@ def preprocess(data, lang): - "The sysctlval parameter of {0} is an empty list".format( - data["_rule_id"])) - -- if not data.get("sysctlval_remediate"): -- if isinstance(data["sysctlval"], list): -- raise ValueError( -- "Problem with rule {0}: the 'sysctlval' parameter is a list " -- "but we are missing the 'sysctlval_remediate' parameter, so " -- "we don't know how to generate remediation content.".format( -- data["_rule_id"])) -- data["sysctlval_remediate"] = data["sysctlval"] -- - # Configure data for test scenarios - if data["datatype"] not in ["string", "int"]: - raise ValueError( -@@ -41,7 +32,7 @@ def preprocess(data, lang): - data["sysctl_correct_value"] = "correct_value" - data["sysctl_wrong_value"] = "wrong_value" - elif isinstance(data["sysctlval"], list): -- data["sysctl_correct_value"] = data["sysctlval_remediate"] -+ data["sysctl_correct_value"] = data["sysctlval"][0] - data["sysctl_wrong_value"] = data["sysctlval_wrong"] - else: - data["sysctl_correct_value"] = data["sysctlval"] - -From 817b47544b4a62aad8153360839bb14dd607d46d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Jul 2022 15:47:11 +0200 -Subject: [PATCH 17/23] Rename a template parameter - -Rename the sysctlval_wrong parameter to wrong_sysctlval_for_testing ---- - docs/templates/template_reference.md | 4 ++-- - .../rule.yml | 2 +- - shared/templates/sysctl/template.py | 2 +- - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 00f991daae7..4e6357c1579 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -826,8 +826,8 @@ The selected value can be changed in the profile (consult the actual variable fo - in the OVAL check, but won't be used in the remediations. - All remediations will use an XCCDF value instead. - -- - **sysctlval_wrong** - the value that is always wrong. This will be used -- only in the test scenarios only if **sysctlval** is a list. -+ - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used -+ only in the templated test scenarios only if **sysctlval** is a list. - - - **missing_static_pass** - if set to `true` the check will pass if the - setting for the given **sysctlvar** is not present in sysctl -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index 9936ed777c8..b8af4f7560d 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -77,6 +77,6 @@ template: - sysctlval: - - '1' - - '2' -- sysctlval_wrong: "0" -+ wrong_sysctlval_for_testing: "0" - missing_static_pass: "true" - datatype: int -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index 2b779f99a62..9083a6a4185 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -33,7 +33,7 @@ def preprocess(data, lang): - data["sysctl_wrong_value"] = "wrong_value" - elif isinstance(data["sysctlval"], list): - data["sysctl_correct_value"] = data["sysctlval"][0] -- data["sysctl_wrong_value"] = data["sysctlval_wrong"] -+ data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] - else: - data["sysctl_correct_value"] = data["sysctlval"] - if data["datatype"] == "int": - -From ed48698e95f96891889fa2c2039172015ae9f069 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Jul 2022 15:56:26 +0200 -Subject: [PATCH 18/23] Rename parameter missing_static_pass - -Rename the parameter missing_static_pass to missing_parameter_pass -to make the naming consistent with other templates where a parameter -with a similar meaning exist. ---- - docs/templates/template_reference.md | 2 +- - .../rule.yml | 2 +- - .../tests/test_config.yml | 2 +- - shared/templates/sysctl/oval.template | 6 +++--- - 4 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 4e6357c1579..0fff58c0a23 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -829,7 +829,7 @@ The selected value can be changed in the profile (consult the actual variable fo - - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used - only in the templated test scenarios only if **sysctlval** is a list. - -- - **missing_static_pass** - if set to `true` the check will pass if the -+ - **missing_parameter_pass** - if set to `true` the check will pass if the - setting for the given **sysctlvar** is not present in sysctl - configuration files. In other words, the check will pass if the system - default isn't overriden by configuration. Default value: `false`. -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index b8af4f7560d..7d8769a913f 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -78,5 +78,5 @@ template: - - '1' - - '2' - wrong_sysctlval_for_testing: "0" -- missing_static_pass: "true" -+ missing_parameter_pass: "true" - datatype: int -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -index c379680e25c..5cf68074050 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -@@ -1,5 +1,5 @@ - deny_templated_scenarios: -- # this rule uses missing_static_pass: true which means the check should pass -+ # this rule uses missing_parameter_pass: true which means the check should pass - # if the configuration is missing (or commented out) therefore we disable - # line_not_there.fail.sh and comment.fail.sh test scenarios - - line_not_there.fail.sh -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 8241c391ad2..1a7c4979bbe 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -126,7 +126,7 @@ - - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} --{{% if MISSING_STATIC_PASS == "true" %}} -+{{% if MISSING_PARAMETER_PASS == "true" %}} - - {{% endif %}} - -@@ -147,13 +147,13 @@ - - {{% endif %}} - --{{% if MISSING_STATIC_PASS == "true" %}} -+{{% if MISSING_PARAMETER_PASS == "true" %}} - - - {{% endif %}} - - --{{% if MISSING_STATIC_PASS == "true" %}} -+{{% if MISSING_PARAMETER_PASS == "true" %}} - - -From f022f549c6d0b5bc0d24c5d1b7c606d23efbd6d2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Jul 2022 16:26:03 +0200 -Subject: [PATCH 19/23] Add a variable - sysctl_kernel_unprivileged_bpf_disabled_value - ---- - ..._kernel_unprivileged_bpf_disabled_value.var | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -new file mode 100644 -index 00000000000..b8bf965a255 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -@@ -0,0 +1,18 @@ -+documentation_complete: true -+ -+title: kernel.unprivileged_bpf_disabled -+ -+description: |- -+ Prevent unprivileged processes from using the bpf() syscall. -+ -+type: number -+ -+operator: equals -+ -+interactive: false -+ -+options: -+ default: 2 -+ 0: "0" -+ 1: "1" -+ 2: "2" - -From 4c8ef02cc91c821d56c061f6d8e2ba1675d0c414 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 26 Jul 2022 09:36:09 +0200 -Subject: [PATCH 20/23] Improve documentation of the sysctl template - ---- - docs/templates/template_reference.md | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 0fff58c0a23..e73b95450fe 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -819,15 +819,19 @@ The selected value can be changed in the profile (consult the actual variable fo - specified, or an atomic value, eg. `'1'`, or a list of values, - eg. `['1','2']`. - - If this parameter is not specified, an XCCDF Value is used instead -- in OVAL check and remediations. -+ in OVAL check and remediations. The XCCDF Value should have a file -+ name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`, -+ where the `escaped_sysctlvar` is a value of the **sysctlvar** -+ parameter in which all characters that don't match the `\w` regular -+ expression are replaced by an underscore (`_`). - - If this parameter is set to an atomic value, this atomic value - will be used in OVAL check and remediations. - - If this parameter is set to a list of values, the list will be used - in the OVAL check, but won't be used in the remediations. - All remediations will use an XCCDF value instead. - -- - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used -- only in the templated test scenarios only if **sysctlval** is a list. -+ - **wrong_sysctlval_for_testing** - the value that is always wrong. This -+ will be used in templated test scenarios when **sysctlval** is a list. - - - **missing_parameter_pass** - if set to `true` the check will pass if the - setting for the given **sysctlvar** is not present in sysctl - -From 0f89cab50807ecf75269acc49e0c290c139beea6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 26 Jul 2022 09:36:34 +0200 -Subject: [PATCH 21/23] Remove RHEL 8 STIG ID - ---- - .../rule.yml | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index 7d8769a913f..ec3b5aef82f 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -33,8 +33,6 @@ references: - nist: AC-6,SC-7(10) - ospp: FMT_SMF_EXT.1 - srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 -- stigid@ol8: OL08-00-040281 -- stigid@rhel8: RHEL-08-040281 - - ocil: |- - The runtime status of the kernel.unprivileged_bpf_disabled - -From 5c2116eb08b84c43d644f6ce51744732a63fb206 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 26 Jul 2022 09:36:47 +0200 -Subject: [PATCH 22/23] Fix a typo - ---- - .../rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index ec3b5aef82f..589deccb0c7 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -62,7 +62,7 @@ ocil: |- - ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" - - fixtext: |- -- Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. -+ Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall. - - srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' - - -From 22e5a11f3232234a939dc6a806752b1fa5c69ce4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 27 Jul 2022 10:36:04 +0200 -Subject: [PATCH 23/23] Mention both values 1 and 2 in the rule description - ---- - .../rule.yml | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index 589deccb0c7..259d1f901c6 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -13,11 +13,13 @@ description: |- - disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. - Once set to 1, this can't be cleared from the running kernel anymore. - -+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} -+ - Writing 2 to this entry will also disable unprivileged calls to bpf(), - however, an admin can still change this setting later on, if needed, by - writing 0 or 1 to this entry. - -- {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} -+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}} - - rationale: |- - Loading and accessing the packet filters programs and maps using the bpf() diff --git a/SOURCES/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch b/SOURCES/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch deleted file mode 100644 index 7e5ee66..0000000 --- a/SOURCES/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 8 Aug 2022 14:34:34 +0200 -Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about - configuring queues - ---- - .../rsyslog_remote_loghost/rule.yml | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -index 4ce56d2e6a5..c73d9ec95a6 100644 ---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -@@ -90,3 +90,20 @@ fixtext: |- - *.* @@[remoteloggingserver]:[port]" - - srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.' -+ -+warnings: -+ - functionality: |- -+ It is important to configure queues in case the client is sending log -+ messages to a remote server. If queues are not configured, there is a -+ danger that the system will stop functioning in case that the connection -+ to the remote server is not available. Please consult Rsyslog -+ documentation for more information about configuration of queues. The -+ example configuration which should go into /etc/rsyslog.conf -+ can look like the following lines: -+
-+        $ActionQueueType LinkedList
-+        $ActionQueueFileName somenameforprefix
-+        $ActionQueueMaxDiskSpace 1g
-+        $ActionQueueSaveOnShutdown on
-+        $ActionResumeRetryCount -1
-+        
- -From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001 -From: vojtapolasek -Date: Tue, 9 Aug 2022 09:41:00 +0200 -Subject: [PATCH 2/3] Apply suggestions from code review - -Co-authored-by: Watson Yuuma Sato ---- - .../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -index c73d9ec95a6..706d3265a08 100644 ---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -@@ -95,14 +95,14 @@ warnings: - - functionality: |- - It is important to configure queues in case the client is sending log - messages to a remote server. If queues are not configured, there is a -- danger that the system will stop functioning in case that the connection -+ the system will stop functioning when the connection - to the remote server is not available. Please consult Rsyslog - documentation for more information about configuration of queues. The - example configuration which should go into /etc/rsyslog.conf - can look like the following lines: -
-         $ActionQueueType LinkedList
--        $ActionQueueFileName somenameforprefix
-+        $ActionQueueFileName queuefilename
-         $ActionQueueMaxDiskSpace 1g
-         $ActionQueueSaveOnShutdown on
-         $ActionResumeRetryCount -1
-
-From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
-From: vojtapolasek 
-Date: Tue, 9 Aug 2022 10:55:04 +0200
-Subject: [PATCH 3/3] Update
- linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
-
-Co-authored-by: Watson Yuuma Sato 
----
- .../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml    | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
-index 706d3265a08..cce4d5cac1d 100644
---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
-+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
-@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
- warnings:
-     - functionality: |-
-         It is important to configure queues in case the client is sending log
--        messages to a remote server. If queues are not configured, there is a
-+        messages to a remote server. If queues are not configured,
-         the system will stop functioning when the connection
-         to the remote server is not available. Please consult Rsyslog
-         documentation for more information about configuration of queues. The
diff --git a/SOURCES/scap-security-guide-0.1.65-RHEL_08_040137_v1r8-PR_9817.patch b/SOURCES/scap-security-guide-0.1.65-RHEL_08_040137_v1r8-PR_9817.patch
deleted file mode 100644
index 6a425f4..0000000
--- a/SOURCES/scap-security-guide-0.1.65-RHEL_08_040137_v1r8-PR_9817.patch
+++ /dev/null
@@ -1,472 +0,0 @@
-From 3fba5ec874f0269d81af9bca90e524703980345d Mon Sep 17 00:00:00 2001
-From: Marcus Burghardt 
-Date: Mon, 14 Nov 2022 15:46:12 +0100
-Subject: [PATCH 1/5] Update ocil and fixtext in fapolicy_default_deny
-
-Rules are stored in different places depending on the system version.
-These changes are now explicit in ocil and fixtext. In RHEL8.6 it was
-introduced the rules.d feature and together the fagenrules script which
-reads and concatenate the rules from rules.d to finally save the result
-in the /etc/fapolicyd/compiled.rules file.
----
- .../services/fapolicyd/fapolicy_default_deny/rule.yml  | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
-index 5b9a1649571..eeecd34e69a 100644
---- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
-@@ -39,10 +39,14 @@ ocil: |-
- 
-     permissive = 0
- 
--    Check that fapolicyd employs a deny-all policy on system mounts with the following command:
-+    Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
- 
-+    For RHEL 8.5 systems and older:
-     $ sudo tail /etc/fapolicyd/fapolicyd.rules
- 
-+    For RHEL 8.6 systems and newer:
-+    $ sudo tail /etc/fapolicyd/compiled.rules
-+
-     allow exe=/usr/bin/python3.7 : ftype=text/x-python
-     deny_audit perm=any pattern=ld_so : all
-     deny perm=any all : all
-@@ -54,8 +58,12 @@ fixtext: |-
- 
-     permissive = 1
- 
-+    For RHEL 8.5 systems and older:
-     Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
- 
-+    For RHEL 8.6 systems and newer:
-+    Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".
-+
-     Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.
- 
-     permissive = 0
-
-From 0b4eaa7e7d96600eef42ad45524e0b4c6e003990 Mon Sep 17 00:00:00 2001
-From: Marcus Burghardt 
-Date: Thu, 17 Nov 2022 09:40:20 +0100
-Subject: [PATCH 2/5] Refactored the OVAL assessment for fapolicy_default_deny
-
-Firsly the existing checks were aligned to the style guides and the
-comments were reviewed. The regex used to identify the expected policy
-was also fixed since it wasn't ensuring the deny policy if defined in a
-wrong position. Finally, it was extended the assessment to consider the
-/etc/fapolicyd/compiled.rules file.
----
- .../fapolicy_default_deny/oval/shared.xml     | 64 +++++++++++++------
- 1 file changed, 43 insertions(+), 21 deletions(-)
-
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
-index 9989459ad22..40bdcf870ca 100644
---- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
-@@ -4,36 +4,58 @@
-         oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy")
-         }}}
-         
--        
--        
-+            
-+                
-+                
-+            
-+            
-         
-     
- 
--    
--        
-+    
-+        
-     
--    
--        
-+
-+    
-+        /etc/fapolicyd/compiled.rules
-+        ^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z
-+        1
-+    
-+
-+    
-+        
-+    
-+
-+    
-         /etc/fapolicyd/fapolicyd.rules
--        (^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$
-+        ^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z
-         1
-     
--    
--        
--        
-+
-+    
-+        
-+        
-     
--    
-+
-+    
-         /etc/fapolicyd/fapolicyd.conf
-         ^\s*permissive\s*=\s*(\d+)
--        1
-+        1
-     
--    
--    0
--  
-+
-+    
-+        0
-+    
- 
-
-From a0fc2ee0b58404ca642804a8977eca6b77fb6807 Mon Sep 17 00:00:00 2001
-From: Marcus Burghardt 
-Date: Thu, 17 Nov 2022 10:32:51 +0100
-Subject: [PATCH 3/5] Refactored the test scenario scripts
-
-The scripts were invalid and wrongly reporting results. The main issue
-was in scripts which intended to create two lines in a file but were
-overwriting the entire file in the second command instead of append the
-second line. The scripts were also refactored to consider systems using
-the rules.d feature and also older systems which doesn't have the
-rules.d feature. Another issue was that "no_quotes" was false by default
-in the bash_shell_file_set macro, but the fapolicyd.conf doesn't expect
-quotes and this was causing inconsistency in the file, so the no_quotes
-was set to true when calling the macro from test scenarios. Finally the
-scripts names were better aligned to their respective scenarios.
----
- .../tests/allow_policy.fail.sh                 | 18 ++++++++++++++++++
- .../tests/commented_value.fail.sh              | 12 ------------
- .../tests/correct_value.pass.sh                | 12 ------------
- .../tests/deny_not_last.fail.sh                | 12 ------------
- .../tests/deny_policy.pass.sh                  | 18 ++++++++++++++++++
- .../tests/deny_policy_but_permissive.fail.sh   | 16 ++++++++++++++++
- .../tests/deny_policy_commented.fail.sh        | 18 ++++++++++++++++++
- .../tests/deny_policy_not_ensured.fail.sh      | 18 ++++++++++++++++++
- .../tests/fapolicy_permissive.fail.sh          |  5 -----
- .../tests/wrong_value.fail.sh                  | 11 -----------
- 10 files changed, 88 insertions(+), 52 deletions(-)
- create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
- delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
- delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
- delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
- create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
- create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
- create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
- create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
- delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
- delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
-
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
-new file mode 100644
-index 00000000000..23d7e699056
---- /dev/null
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
-@@ -0,0 +1,18 @@
-+#!/bin/bash
-+# packages = fapolicyd
-+# remediation = none
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
-+
-+if [ -f /etc/fapolicyd/compiled.rules ]; then
-+    active_rules_file="/etc/fapolicyd/compiled.rules"
-+else
-+    active_rules_file="/etc/fapolicyd/fapolicyd.rules"
-+fi
-+
-+truncate -s 0 $active_rules_file
-+
-+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
-+echo "allow perm=any all : all" >> $active_rules_file
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
-deleted file mode 100644
-index a8df835af76..00000000000
---- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
-+++ /dev/null
-@@ -1,12 +0,0 @@
--#!/bin/bash
--# packages = fapolicyd
--# remediation = none
--
--{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
--
--truncate -s 0 /etc/fapolicyd/fapolicyd.rules
--
--echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
--echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
--
--{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
-deleted file mode 100644
-index c88406b0be4..00000000000
---- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
-+++ /dev/null
-@@ -1,12 +0,0 @@
--#!/bin/bash
--# packages = fapolicyd
--# remediation = none
--
--{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
--
--truncate -s 0 /etc/fapolicyd/fapolicyd.rules
--
--echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
--echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
--
--{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
-deleted file mode 100644
-index 59b16308563..00000000000
---- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
-+++ /dev/null
-@@ -1,12 +0,0 @@
--#!/bin/bash
--# packages = fapolicyd
--# remediation = none
--
--{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
--
--truncate -s 0 /etc/fapolicyd/fapolicyd.rules
--
--echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules
--echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
--
--{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
-new file mode 100644
-index 00000000000..f3ff83ca602
---- /dev/null
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
-@@ -0,0 +1,18 @@
-+#!/bin/bash
-+# packages = fapolicyd
-+# remediation = none
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
-+
-+if [ -f /etc/fapolicyd/compiled.rules ]; then
-+    active_rules_file="/etc/fapolicyd/compiled.rules"
-+else
-+    active_rules_file="/etc/fapolicyd/fapolicyd.rules"
-+fi
-+
-+truncate -s 0 $active_rules_file
-+
-+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
-+echo "deny perm=any all : all" >> $active_rules_file
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
-new file mode 100644
-index 00000000000..caa401ca174
---- /dev/null
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
-@@ -0,0 +1,16 @@
-+#!/bin/bash
-+# packages = fapolicyd
-+# remediation = none
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
-+
-+if [ -f /etc/fapolicyd/compiled.rules ]; then
-+    active_rules_file="/etc/fapolicyd/compiled.rules"
-+else
-+    active_rules_file="/etc/fapolicyd/fapolicyd.rules"
-+fi
-+
-+truncate -s 0 $active_rules_file
-+
-+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
-+echo "deny perm=any all : all" >> $active_rules_file
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
-new file mode 100644
-index 00000000000..4e4bc430cec
---- /dev/null
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
-@@ -0,0 +1,18 @@
-+#!/bin/bash
-+# packages = fapolicyd
-+# remediation = none
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
-+
-+if [ -f /etc/fapolicyd/compiled.rules ]; then
-+    active_rules_file="/etc/fapolicyd/compiled.rules"
-+else
-+    active_rules_file="/etc/fapolicyd/fapolicyd.rules"
-+fi
-+
-+truncate -s 0 $active_rules_file
-+
-+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
-+echo "# deny perm=any all : all" >> $active_rules_file
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
-new file mode 100644
-index 00000000000..b52e5446afc
---- /dev/null
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
-@@ -0,0 +1,18 @@
-+#!/bin/bash
-+# packages = fapolicyd
-+# remediation = none
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
-+
-+if [ -f /etc/fapolicyd/compiled.rules ]; then
-+    active_rules_file="/etc/fapolicyd/compiled.rules"
-+else
-+    active_rules_file="/etc/fapolicyd/fapolicyd.rules"
-+fi
-+
-+truncate -s 0 $active_rules_file
-+
-+echo "deny perm=any all : all" >> $active_rules_file
-+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
-deleted file mode 100644
-index 50756a0e7a3..00000000000
---- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
-+++ /dev/null
-@@ -1,5 +0,0 @@
--#!/bin/bash
--# packages = fapolicyd
--# remediation = none
--
--{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
-deleted file mode 100644
-index da3e33f57fd..00000000000
---- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
-+++ /dev/null
-@@ -1,11 +0,0 @@
--#!/bin/bash
--# packages = fapolicyd
--# remediation = none
--
--{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
--
--truncate -s 0 /etc/fapolicyd/fapolicyd.rules
--
--echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
--
--{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
-
-From 0b731cf7a0433111311ab5e427a54d2f6c1b9d14 Mon Sep 17 00:00:00 2001
-From: Marcus Burghardt 
-Date: Thu, 17 Nov 2022 11:02:34 +0100
-Subject: [PATCH 4/5] Fixed bash_shell_file_set macro to consider spaces
-
-Once the test scenario scripts were fixed, an issue was revelead in
-bash_shell_file_set macro. The macro was not considering config files
-which have spaces before and after the separator carachter. Since the
-separator_regex parameter already expects regex format, it was easily
-extended.
----
- shared/macros/10-bash.jinja | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
-index ae0f0e5e6ad..0e369314645 100644
---- a/shared/macros/10-bash.jinja
-+++ b/shared/macros/10-bash.jinja
-@@ -122,13 +122,13 @@ fi
- {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
- {{% if no_quotes -%}}
-   {{% if "$" in value %}}
--  {{% set value = '%s' % value.replace("$", "\\$") %}}
-+    {{% set value = '%s' % value.replace("$", "\\$") %}}
-   {{% endif %}}
- {{%- else -%}}
-   {{% if "$" in value %}}
--  {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
-+    {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
-   {{% else %}}
--  {{% set value = "'%s'" % value %}}
-+    {{% set value = "'%s'" % value %}}
-   {{% endif %}}
- {{%- endif -%}}
- {{{ set_config_file(
-@@ -140,7 +140,7 @@ fi
-         insert_before="^#\s*" ~ parameter,
-         insensitive=false,
-         separator="=",
--        separator_regex="=",
-+        separator_regex="\s*=\s*",
-         prefix_regex="^\s*")
-     }}}
- {{%- endmacro -%}}
-
-From 3a8101e921f7b0b5e261fdbf4b42bf210fcccf78 Mon Sep 17 00:00:00 2001
-From: Marcus Burghardt 
-Date: Fri, 18 Nov 2022 09:58:47 +0100
-Subject: [PATCH 5/5] Use jinja to limit the RHEL 8 minor version text
-
-The change is intended to avoid that RHEL 9 and OL get RHEL 8 minor
-version text.
----
- .../guide/services/fapolicyd/fapolicy_default_deny/rule.yml   | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
-index eeecd34e69a..220801bc471 100644
---- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
-@@ -41,10 +41,12 @@ ocil: |-
- 
-     Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
- 
-+    {{%- if product in ["rhel8"] %}}
-     For RHEL 8.5 systems and older:
-     $ sudo tail /etc/fapolicyd/fapolicyd.rules
- 
-     For RHEL 8.6 systems and newer:
-+    {{%- endif %}}
-     $ sudo tail /etc/fapolicyd/compiled.rules
- 
-     allow exe=/usr/bin/python3.7 : ftype=text/x-python
-@@ -58,10 +60,12 @@ fixtext: |-
- 
-     permissive = 1
- 
-+    {{%- if product in ["rhel8"] %}}
-     For RHEL 8.5 systems and older:
-     Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
- 
-     For RHEL 8.6 systems and newer:
-+    {{%- endif %}}
-     Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".
- 
-     Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.
diff --git a/SOURCES/scap-security-guide-0.1.65-accounts_passwords_conflicts_and_duplicates-PR_9804.patch b/SOURCES/scap-security-guide-0.1.65-accounts_passwords_conflicts_and_duplicates-PR_9804.patch
deleted file mode 100644
index 542cff4..0000000
--- a/SOURCES/scap-security-guide-0.1.65-accounts_passwords_conflicts_and_duplicates-PR_9804.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 7e2c7cc70acfdd71c64a8d9c0b6ea365a65ac1d5 Mon Sep 17 00:00:00 2001
-From: Watson Sato 
-Date: Thu, 10 Nov 2022 14:01:17 +0100
-Subject: [PATCH 2/2] accounts_password: Add tests for conflicting and
- duplicate values
-
-Add tests for conflicting and duplicate values
----
- .../accounts_password/tests/conflicting_values.fail.sh    | 8 ++++++++
- .../accounts_password/tests/duplicated_values.pass.sh     | 7 +++++++
- 2 files changed, 15 insertions(+)
- create mode 100644 shared/templates/accounts_password/tests/conflicting_values.fail.sh
- create mode 100644 shared/templates/accounts_password/tests/duplicated_values.pass.sh
-
-diff --git a/shared/templates/accounts_password/tests/conflicting_values.fail.sh b/shared/templates/accounts_password/tests/conflicting_values.fail.sh
-new file mode 100644
-index 00000000000..3517ff43083
---- /dev/null
-+++ b/shared/templates/accounts_password/tests/conflicting_values.fail.sh
-@@ -0,0 +1,8 @@
-+#!/bin/bash
-+# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
-+
-+truncate -s 0 /etc/security/pwquality.conf
-+
-+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
-+
-+echo "{{{ VARIABLE }}} = {{{ TEST_WRONG_VALUE }}}" >> /etc/security/pwquality.conf
-diff --git a/shared/templates/accounts_password/tests/duplicated_values.pass.sh b/shared/templates/accounts_password/tests/duplicated_values.pass.sh
-new file mode 100644
-index 00000000000..e7b7f957d3d
---- /dev/null
-+++ b/shared/templates/accounts_password/tests/duplicated_values.pass.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
-+
-+truncate -s 0 /etc/security/pwquality.conf
-+
-+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
-+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
diff --git a/SOURCES/scap-security-guide-0.1.65-add_fapolicy_default_deny-PR_9278.patch b/SOURCES/scap-security-guide-0.1.65-add_fapolicy_default_deny-PR_9278.patch
deleted file mode 100644
index bd588cb..0000000
--- a/SOURCES/scap-security-guide-0.1.65-add_fapolicy_default_deny-PR_9278.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From 38edb566365afd64632ad12d532ccbafcb7b422b Mon Sep 17 00:00:00 2001
-From: Edgar Aguilar 
-Date: Thu, 28 Jul 2022 13:51:27 -0500
-Subject: [PATCH] Add OVAL to fapolicy_default_deny
-
-Add the rule fapolicy_default_deny to OL8 STIG profile, which covers
-requirement OL08-00-040137. Include tests to validate OVAL
-
-Signed-off-by: Edgar Aguilar 
----
- .../fapolicy_default_deny/oval/shared.xml     | 39 +++++++++++++++++++
- .../fapolicyd/fapolicy_default_deny/rule.yml  |  3 +-
- .../tests/commented_value.fail.sh             | 12 ++++++
- .../tests/correct_value.pass.sh               | 12 ++++++
- .../tests/deny_not_last.fail.sh               | 12 ++++++
- .../tests/fapolicy_permissive.fail.sh         |  5 +++
- .../tests/wrong_value.fail.sh                 | 11 ++++++
- products/ol8/profiles/stig.profile            |  1 +
- 8 files changed, 94 insertions(+), 1 deletion(-)
- create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
- create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
- create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
- create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
- create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
- create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
-
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
-new file mode 100644
-index 00000000000..9989459ad22
---- /dev/null
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
-@@ -0,0 +1,39 @@
-+
-+    
-+        {{{
-+        oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy")
-+        }}}
-+        
-+        
-+        
-+        
-+    
-+
-+    
-+        
-+    
-+    
-+        
-+        /etc/fapolicyd/fapolicyd.rules
-+        (^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$
-+        1
-+    
-+    
-+        
-+        
-+    
-+    
-+        /etc/fapolicyd/fapolicyd.conf
-+        ^\s*permissive\s*=\s*(\d+)
-+        1
-+    
-+    
-+    0
-+  
-+
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
-index e6837e5d7bd..5b9a1649571 100644
---- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: rhel8,rhel9
-+prodtype: ol8,ol9,rhel8,rhel9
- 
- title: 'Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.'
- 
-@@ -25,6 +25,7 @@ references:
-   disa:  CCI-001764
-   nist: CM-7 (2),CM-7 (5) (b),CM-6 b
-   srg: SRG-OS-000368-GPOS-00154,SRG-OS-000370-GPOS-00155,SRG-OS-000480-GPOS-00232
-+  stigid@ol8: OL08-00-040137
-   stigid@rhel8: RHEL-08-040137
- 
- ocil_clause: 'fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy'
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
-new file mode 100644
-index 00000000000..a8df835af76
---- /dev/null
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
-@@ -0,0 +1,12 @@
-+#!/bin/bash
-+# packages = fapolicyd
-+# remediation = none
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-+
-+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-+
-+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-+echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
-new file mode 100644
-index 00000000000..c88406b0be4
---- /dev/null
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
-@@ -0,0 +1,12 @@
-+#!/bin/bash
-+# packages = fapolicyd
-+# remediation = none
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-+
-+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-+
-+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-+echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
-new file mode 100644
-index 00000000000..59b16308563
---- /dev/null
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
-@@ -0,0 +1,12 @@
-+#!/bin/bash
-+# packages = fapolicyd
-+# remediation = none
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-+
-+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-+
-+echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules
-+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
-new file mode 100644
-index 00000000000..50756a0e7a3
---- /dev/null
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+# packages = fapolicyd
-+# remediation = none
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
-diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
-new file mode 100644
-index 00000000000..da3e33f57fd
---- /dev/null
-+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
-@@ -0,0 +1,11 @@
-+#!/bin/bash
-+# packages = fapolicyd
-+# remediation = none
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-+
-+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-+
-+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-+
-+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
-diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
-index 05f03d339e6..34a136b8489 100644
---- a/products/ol8/profiles/stig.profile
-+++ b/products/ol8/profiles/stig.profile
-@@ -1069,6 +1069,7 @@ selections:
-     - service_fapolicyd_enabled
- 
-     # OL08-00-040137
-+    - fapolicy_default_deny
- 
-     # OL08-00-040139
-     - package_usbguard_installed
diff --git a/SOURCES/scap-security-guide-0.1.65-align_ansible_services_template-PR_9806.patch b/SOURCES/scap-security-guide-0.1.65-align_ansible_services_template-PR_9806.patch
deleted file mode 100644
index 4803446..0000000
--- a/SOURCES/scap-security-guide-0.1.65-align_ansible_services_template-PR_9806.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From dc37d3c376cd3f2a2178d82a928629b231662cf9 Mon Sep 17 00:00:00 2001
-From: Milan Lysonek 
-Date: Fri, 11 Nov 2022 12:05:28 +0100
-Subject: [PATCH] Align service_disabled template to service_enabled
-
----
- .../service_disabled/ansible.template         | 32 +++++--------------
- 1 file changed, 8 insertions(+), 24 deletions(-)
-
-diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
-index 5c70756b8af..752f6ac5099 100644
---- a/shared/templates/service_disabled/ansible.template
-+++ b/shared/templates/service_disabled/ansible.template
-@@ -3,39 +3,17 @@
- # strategy = disable
- # complexity = low
- # disruption = low
--{{%- if init_system == "systemd" %}}
- - name: Disable service {{{ SERVICENAME }}}
-   block:
-+  - name: Gather the package facts
-+    package_facts:
-+      manager: auto
-+
-   - name: Disable service {{{ SERVICENAME }}}
--    systemd:
--      name: "{{{ DAEMONNAME }}}.service"
-+    service:
-+      name: "{{{ DAEMONNAME }}}"
-       enabled: "no"
-       state: "stopped"
-       masked: "yes"
--    ignore_errors: 'yes'
--
--- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
--  command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
--  args:
--    warn: False
--  register: socket_file_exists
--  changed_when: False
--  ignore_errors: True
--  check_mode: False
--
--- name: Disable socket {{{ SERVICENAME }}}
--  systemd:
--    name: "{{{ DAEMONNAME }}}.socket"
--    enabled: "no"
--    state: "stopped"
--    masked: "yes"
--  when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]'
--{{% elif init_system == "upstart" %}}
--- name: Stop {{{ SERVICENAME }}}
--  command: /sbin/service '{{{ DAEMONNAME }}}' stop
--
--- name: Switch off {{{ SERVICENAME }}}
--  command: /sbin/chkconfig --level 0123456 '{{{ DAEMONNAME }}}' off
--{{%- else %}}
--JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
--{{%- endif %}}
-+    when:
-+    - '"{{{ PACKAGENAME }}}" in ansible_facts.packages'
diff --git a/SOURCES/scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch b/SOURCES/scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch
deleted file mode 100644
index 8764498..0000000
--- a/SOURCES/scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch
+++ /dev/null
@@ -1,217 +0,0 @@
-From c27ea9d1987545488b6bca12a9dafd149331b1f9 Mon Sep 17 00:00:00 2001
-From: Milan Lysonek 
-Date: Fri, 11 Nov 2022 12:27:11 +0100
-Subject: [PATCH 1/3] Remove deprecated warn parameter from Ansbile command
- module
-
----
- .../system/accounts/enable_authselect/ansible/shared.yml    | 2 --
- .../audit_rules_privileged_commands/ansible/shared.yml      | 2 --
- .../audit_rules_suid_privilege_function/ansible/shared.yml  | 2 --
- .../rpm_verification/rpm_verify_hashes/ansible/shared.yml   | 6 ------
- .../rpm_verify_ownership/ansible/shared.yml                 | 6 ------
- .../rpm_verify_permissions/ansible/shared.yml               | 6 ------
- .../ensure_redhat_gpgkey_installed/ansible/shared.yml       | 2 --
- 8 files changed, 28 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
-index afd658790f7..6a7324a7a64 100644
---- a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
-@@ -17,8 +17,6 @@
-     cmd: rpm -qV pam
-   register: result_altered_authselect
-   ignore_errors: yes
--  args:
--    warn: False
-   when:
-     - result_authselect_select is failed
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
-index 68c8497c859..bb1fec9e2b8 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
-@@ -8,8 +8,6 @@
-   shell: |
-     set -o pipefail
-     find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null
--  args:
--    warn: False
-     executable: /bin/bash
-   check_mode: no
-   register: find_result
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
-index b25361136af..c46cbbe3950 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
-@@ -49,8 +49,6 @@
- {{%- else %}} # restarting auditd through systemd doesn't work, see: https://access.redhat.com/solutions/5515011
- - name: Reload Auditd
-   command: /usr/sbin/service auditd reload
--  args:
--    warn: false
- {{%- endif %}}
-   when:
-     - (augenrules_audit_rules_privilege_function_update_result.changed or
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
-index 0241e804b30..0d66cb349c0 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
-@@ -22,8 +22,6 @@
- 
- - name: "Read files with incorrect hash"
-   command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
--  args:
--    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module
-   register: files_with_incorrect_hash
-   changed_when: False
-   failed_when: files_with_incorrect_hash.rc > 1
-@@ -32,8 +30,6 @@
- 
- - name: Create list of packages
-   command: rpm -qf "{{ item }}"
--  args:
--    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module
-   with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
-   register: list_of_packages
-   changed_when: False
-@@ -44,8 +40,6 @@
- 
- - name: "Reinstall packages of files with incorrect hash"
-   command: "{{ package_manager_reinstall_cmd }} '{{ item }}'"
--  args:
--    warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager
-   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
-   when:
-     - files_with_incorrect_hash.stdout_lines is defined
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
-index ed490498a1d..f43b9bcef1c 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
-@@ -5,8 +5,6 @@
- # disruption = medium
- - name: "Read list of files with incorrect ownership"
-   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode
--  args:
--    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module
-   register: files_with_incorrect_ownership
-   failed_when: files_with_incorrect_ownership.rc > 1
-   changed_when: False
-@@ -14,8 +12,6 @@
- 
- - name: Create list of packages
-   command: rpm -qf "{{ item }}"
--  args:
--    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module
-   with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
-   register: list_of_packages
-   changed_when: False
-@@ -24,7 +20,5 @@
- 
- - name: "Correct file ownership with RPM"
-   command: "rpm --quiet --setugids '{{ item }}'"
--  args:
--    warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module
-   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
-   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
-index 419ef95a323..0bd8e7e8ad5 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
-@@ -5,8 +5,6 @@
- # disruption = medium
- - name: "Read list of files with incorrect permissions"
-   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup
--  args:
--    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module
-   register: files_with_incorrect_permissions
-   failed_when: files_with_incorrect_permissions.rc > 1
-   changed_when: False
-@@ -14,8 +12,6 @@
- 
- - name: Create list of packages
-   command: rpm -qf "{{ item }}"
--  args:
--    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module
-   with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
-   register: list_of_packages
-   changed_when: False
-@@ -24,7 +20,5 @@
- 
- - name: "Correct file permissions with RPM"
-   command: "rpm --setperms '{{ item }}'"
--  args:
--    warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module
-   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
-   when: (files_with_incorrect_permissions.stdout_lines | length > 0)
-diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
-index f6f590820e1..6ab9bdee767 100644
---- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
-+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
-@@ -18,8 +18,6 @@
-   {{%- else -%}}
-   command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
-   {{%- endif %}}
--  args:
--    warn: False
-   changed_when: False
-   register: gpg_fingerprints
-   check_mode: no
-
-From 5617aa675132782d53a8714738bd2187d9b2e3ab Mon Sep 17 00:00:00 2001
-From: Milan Lysonek 
-Date: Tue, 15 Nov 2022 10:00:49 +0100
-Subject: [PATCH 2/3] Fix rpm_verify_* ansible remediations
-
----
- .../rpm_verification/rpm_verify_hashes/ansible/shared.yml       | 2 +-
- .../rpm_verification/rpm_verify_ownership/ansible/shared.yml    | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
-index 0d66cb349c0..fd850def318 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
-@@ -12,7 +12,7 @@
- - name: "Set fact: Package manager reinstall command (yum)"
-   set_fact:
-     package_manager_reinstall_cmd: yum reinstall -y
--  when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux")
-+  when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "OracleLinux")
- 
- - name: "Read files with incorrect hash"
-   command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
-index f43b9bcef1c..5c39628ff4c 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
-@@ -19,6 +19,6 @@
-   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
- 
- - name: "Correct file ownership with RPM"
--  command: "rpm --quiet --setugids '{{ item }}'"
-+  command: "rpm --setugids '{{ item }}'"
-   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
-   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
-
-From 957d0439e89ebe5c665aafa16e107c6611d83f6b Mon Sep 17 00:00:00 2001
-From: Milan Lysonek 
-Date: Tue, 15 Nov 2022 17:20:02 +0100
-Subject: [PATCH 3/3] Make rpm_verify_hashes ansible remediation applicable on
- all RHELs
-
----
- .../rpm_verification/rpm_verify_hashes/ansible/shared.yml       | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
-index fd850def318..178a7711a54 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
-@@ -1,5 +1,5 @@
- # and the regex_findall does not filter out configuration files the same as bash remediation does
--# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
- # reboot = false
- # strategy = restrict
- # complexity = high
diff --git a/SOURCES/scap-security-guide-0.1.65-pam_retry_conflicts_and_duplicates-PR_9805.patch b/SOURCES/scap-security-guide-0.1.65-pam_retry_conflicts_and_duplicates-PR_9805.patch
deleted file mode 100644
index d407b9f..0000000
--- a/SOURCES/scap-security-guide-0.1.65-pam_retry_conflicts_and_duplicates-PR_9805.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 8c6d618070476bd81edd0524c895a3497fc902a6 Mon Sep 17 00:00:00 2001
-From: Watson Sato 
-Date: Thu, 10 Nov 2022 17:48:55 +0100
-Subject: [PATCH] accounts_password_pam_retry: Add test for dupes and conflicts
-
-Add test scenarios to ensure that conflicting values are failing
-and that duplicated rule are passing.
----
- .../tests/pwquality_conf_conflicting_values.fail.sh  | 12 ++++++++++++
- .../tests/pwquality_conf_duplicate_values.pass.sh    | 12 ++++++++++++
- 2 files changed, 24 insertions(+)
- create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
-
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
-new file mode 100644
-index 00000000000..16bd1171a46
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
-@@ -0,0 +1,12 @@
-+#!/bin/bash
-+# variables = var_password_pam_retry=3
-+
-+source common.sh
-+
-+CONF_FILE="/etc/security/pwquality.conf"
-+retry_cnt=3
-+
-+truncate -s 0 $CONF_FILE
-+
-+echo "retry = 3" >> $CONF_FILE
-+echo "retry = 4" >> $CONF_FILE
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
-new file mode 100644
-index 00000000000..da37627dbb3
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
-@@ -0,0 +1,12 @@
-+#!/bin/bash
-+# variables = var_password_pam_retry=3
-+
-+source common.sh
-+
-+CONF_FILE="/etc/security/pwquality.conf"
-+retry_cnt=3
-+
-+truncate -s 0 $CONF_FILE
-+
-+echo "retry = 3" >> $CONF_FILE
-+echo "retry = 3" >> $CONF_FILE
diff --git a/SOURCES/scap-security-guide-0.1.65-realign_ansible_services_without_warn-PR_9819.patch b/SOURCES/scap-security-guide-0.1.65-realign_ansible_services_without_warn-PR_9819.patch
deleted file mode 100644
index 436af6a..0000000
--- a/SOURCES/scap-security-guide-0.1.65-realign_ansible_services_without_warn-PR_9819.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From ddf34ef7c71b79ca12ccfcd00eada2c08c34d2c9 Mon Sep 17 00:00:00 2001
-From: Milan Lysonek 
-Date: Mon, 14 Nov 2022 17:16:53 +0100
-Subject: [PATCH 1/2] Revert "Align service_disabled template to
- service_enabled"
-
-This reverts commit dc37d3c376cd3f2a2178d82a928629b231662cf9.
----
- .../service_disabled/ansible.template         | 32 ++++++++++++++-----
- 1 file changed, 24 insertions(+), 8 deletions(-)
-
-diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
-index 752f6ac5099..5c70756b8af 100644
---- a/shared/templates/service_disabled/ansible.template
-+++ b/shared/templates/service_disabled/ansible.template
-@@ -3,17 +3,33 @@
- # strategy = disable
- # complexity = low
- # disruption = low
-+{{%- if init_system == "systemd" %}}
- - name: Disable service {{{ SERVICENAME }}}
-   block:
--  - name: Gather the package facts
--    package_facts:
--      manager: auto
--
-   - name: Disable service {{{ SERVICENAME }}}
--    service:
--      name: "{{{ DAEMONNAME }}}"
-+    systemd:
-+      name: "{{{ DAEMONNAME }}}.service"
-       enabled: "no"
-       state: "stopped"
-       masked: "yes"
--    when:
--    - '"{{{ PACKAGENAME }}}" in ansible_facts.packages'
-+    ignore_errors: 'yes'
-+
-+- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
-+  command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
-+  args:
-+    warn: False
-+  register: socket_file_exists
-+  changed_when: False
-+  ignore_errors: True
-+  check_mode: False
-+
-+- name: Disable socket {{{ SERVICENAME }}}
-+  systemd:
-+    name: "{{{ DAEMONNAME }}}.socket"
-+    enabled: "no"
-+    state: "stopped"
-+    masked: "yes"
-+  when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]'
-+{{%- else %}}
-+JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
-+{{%- endif %}}
-
-From 8c20a2bc997c0a24eba2a9924d832954b9e91b6a Mon Sep 17 00:00:00 2001
-From: Milan Lysonek 
-Date: Mon, 14 Nov 2022 17:37:50 +0100
-Subject: [PATCH 2/2] Make service_disabled template compatible with Ansible
- 2.14
-
----
- shared/templates/service_disabled/ansible.template | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
-index 5c70756b8af..72678e050cf 100644
---- a/shared/templates/service_disabled/ansible.template
-+++ b/shared/templates/service_disabled/ansible.template
-@@ -16,8 +16,6 @@
- 
- - name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
-   command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
--  args:
--    warn: False
-   register: socket_file_exists
-   changed_when: False
-   ignore_errors: True
diff --git a/SOURCES/scap-security-guide-0.1.65-refactor_firewalld_sshd_port_enabled-PR_9712.patch b/SOURCES/scap-security-guide-0.1.65-refactor_firewalld_sshd_port_enabled-PR_9712.patch
deleted file mode 100644
index cd6bf6d..0000000
--- a/SOURCES/scap-security-guide-0.1.65-refactor_firewalld_sshd_port_enabled-PR_9712.patch
+++ /dev/null
@@ -1,1739 +0,0 @@
-From 2f0f9914e94e2aaf614b530548d94354a8bcab2d Mon Sep 17 00:00:00 2001
-From: Marcus Burghardt 
-Date: Thu, 13 Oct 2022 18:59:06 +0200
-Subject: [PATCH 01/14] Improve rule descriptions for
- firewalld_sshd_port_enabled
-
-It was also included the platform section since the scope of this rule
-is only applicable to machines and not to containers.
----
- .../firewalld_sshd_port_enabled/rule.yml      | 24 ++++++++++++++-----
- 1 file changed, 18 insertions(+), 6 deletions(-)
-
-diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
-index 77ba9d3cca4..9b96faf222d 100644
---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
-@@ -5,14 +5,14 @@ prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4
- title: 'Enable SSH Server firewalld Firewall Exception'
- 
- description: |-
--    By default, inbound connections to SSH's port are allowed. If
--    the SSH server is being used but denied by the firewall, this exception should
--    be added to the firewall configuration.
-+    If the SSH server is in use, inbound connections to SSH's port should be allowed to permit
-+    remote access through SSH. In more restrictive firewalld settings, the SSH port should be
-+    added to the proper firewalld zone in order to allow SSH remote access.
-     

- {{{ describe_firewalld_allow(proto="tcp", service="ssh") }}} - - rationale: |- -- If inbound SSH connections are expected, adding a firewall rule exception -+ If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone - will allow remote access through the SSH port. - - severity: medium -@@ -28,11 +28,23 @@ references: - nist: AC-17(a),CM-6(b),CM-7(a),CM-7(b) - srg: SRG-OS-000096-GPOS-00050 - --ocil_clause: 'sshd service is disabled by firewall' -+platform: machine -+ -+ocil_clause: 'sshd service is not enabled in the proper firewalld zone' -+ - ocil: | - {{{ ocil_firewalld_allow_access(port="22", proto="tcp", service="ssh") }}} - - fixtext: |- -- Enable sshd in firewalld configuration. -+ Enable SSH service in firewalld configuration. - - {{{ describe_firewalld_allow(proto="tcp", service="ssh") }}} -+ -+warnings: -+ - general: |- -+ The remediation for this rule uses firewall-cmd and nmcli tools. -+ Therefore, it will only be executed if firewalld and NetworkManager -+ services are running. Otherwise, the remediation will be aborted and a informative message -+ will be shown in the remediation report. -+ These respective services will not be started in order to preserve any intentional change -+ in network components related to firewall and network interfaces. - -From 4e76d01001398948de8d1b085964bbb1ea68626c Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Fri, 14 Oct 2022 09:02:08 +0200 -Subject: [PATCH 02/14] Increase robustness of firewalld_sshd_port_enabled bash - remediation - -The remediation was not capable to properly treat some special cases, -like a system with multiple interfaces. It wasn't also capable to safely -configure the correct interface since it was assuming the NetworkManager -connection file was prefixed with the network interface name. In -addition, it is not stable to manually change firewalld XML files while -a proper command is present. This commit makes the remediation reliable -and assertive by using firewall-cmd and nmcli commands. ---- - .../bash/shared.sh | 76 +++++++++---------- - 1 file changed, 37 insertions(+), 39 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -index a328bee5c8a..e1b4f0fbd20 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -@@ -5,49 +5,47 @@ - # disruption = low - - {{{ bash_package_install("firewalld") }}} -- -+{{{ bash_package_install("NetworkManager") }}} - {{{ bash_instantiate_variables("firewalld_sshd_zone") }}} - --{{% if product in ['rhel9'] %}} -- {{% set network_config_path = "/etc/NetworkManager/system-connections/${interface}.nmconnection" %}} --{{% else %}} -- {{% set network_config_path = "/etc/sysconfig/network-scripts/ifcfg-${interface}" %}} --{{% endif %}} -+if firewall-cmd --state -q; then -+ # First make sure the SSH service is enabled in run-time for the proper zone. -+ # This is to avoid connection issues when new interfaces are addeded to this zone. -+ firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh - --# This assumes that firewalld_sshd_zone is one of the pre-defined zones --if [ ! -f "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" ]; then -- cp "/usr/lib/firewalld/zones/${firewalld_sshd_zone}.xml" "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" --fi --if ! grep -q 'service name="ssh"' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml"; then -- sed -i '/<\/description>/a \ -- ' "/etc/firewalld/zones/${firewalld_sshd_zone}.xml" --fi -+ if systemctl is-active NetworkManager; then -+ # This will collect all NetworkManager connections names -+ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) - --# Check if any eth interface is bounded to the zone with SSH service enabled --nic_bound=false --readarray -t eth_interface_list < <(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') --for interface in "${eth_interface_list[@]}"; do -- if grep -qi "ZONE=$firewalld_sshd_zone" "{{{ network_config_path }}}"; then -- nic_bound=true -- break; -- fi --done -- --if [ $nic_bound = false ];then -- # Add first NIC to SSH enabled zone -- interface="${eth_interface_list[0]}" -- -- if ! firewall-cmd --state -q; then -- {{% if product in ['rhel9'] %}} -- {{{ bash_replace_or_append(network_config_path, '^zone=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}} -- {{% else %}} -- {{{ bash_replace_or_append(network_config_path, '^ZONE=', "$firewalld_sshd_zone", '%s=%s') | indent(8) }}} -- {{% endif %}} -+ # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. -+ # This will not change connections which are already assigned to any firewalld zone. -+ for connection in $nm_connections; do -+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -+ if [ $current_zone = "--" ]; then -+ nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone -+ fi -+ done -+ systemctl restart NetworkManager - else -- # If firewalld service is running, we need to do this step with firewall-cmd -- # Otherwise firewalld will communicate with NetworkManage and will revert assigned zone -- # of NetworkManager managed interfaces upon reload -- firewall-cmd --permanent --zone="$firewalld_sshd_zone" --add-interface="${eth_interface_list[0]}" -- firewall-cmd --reload -+ echo " -+ NetworkManager service is not active. Remediation aborted! -+ This remediation could not be applied because it depends on NetworkManager service running. -+ The service is not started by this remediation in order to prevent connection issues." -+ exit 1 - fi -+ -+ # Active zones are zones with at least one interface assigned to it. -+ # It is possible that traffic is comming by any active interface and consequently any -+ # active zone. So, this make sure all active zones are permanently allowing SSH service. -+ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) -+ for zone in $firewalld_active_zones; do -+ firewall-cmd --permanent --zone="$zone" --add-service=ssh -+ done -+ firewall-cmd --reload -+else -+ echo " -+ firewalld service is not active. Remediation aborted! -+ This remediation could not be applied because it depends on firewalld service running. -+ The service is not started by this remediation in order to prevent connection issues." -+ exit 1 - fi - -From a1fe2e8c34f8dbbaf573e6d6fa37b8e4fc63ad09 Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Wed, 19 Oct 2022 13:19:46 +0200 -Subject: [PATCH 03/14] Include warning message regarging custom SSH port - ---- - .../ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml -index 9b96faf222d..d49a2af1d02 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml -@@ -48,3 +48,10 @@ warnings: - will be shown in the remediation report. - These respective services will not be started in order to preserve any intentional change - in network components related to firewall and network interfaces. -+ - general: |- -+ This rule also checks if the SSH port was modified by the administrator and is reflecting -+ the expected port number. Although this is checked, fixing the custom ssh.xml file is not -+ in the scope of the remediation since there is no reliable way to manually change the -+ respective file. If the default SSH port is modified, it is on the administrator -+ responsibility to ensure the firewalld customizations in the service port level are -+ properly configured. - -From b7c665bd163acb0595438223e4ebaa6a34e674a0 Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Fri, 14 Oct 2022 15:03:33 +0200 -Subject: [PATCH 04/14] Review test scenario scripts - ---- - .../tests/no_nic_in_ssh_zone.fail.sh | 7 +------ - .../firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh | 4 ---- - .../tests/ssh_zone_and_nic_mismatch.fail.sh | 4 ---- - .../tests/ssh_zone_nic_bounded.pass.sh | 3 --- - 4 files changed, 1 insertion(+), 17 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh -index 7ed0c21ed1e..21d7c0eafc4 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh -@@ -1,9 +1,5 @@ - #!/bin/bash - # packages = firewalld --# --# remediation = none -- --# ensure firewalld installed - - # Make sure there is a zone with ssh service enabled - firewall-cmd --permanent --zone=work --add-service=ssh -@@ -11,8 +7,7 @@ firewall-cmd --permanent --zone=work --add-service=ssh - all_zones=$(firewall-cmd --get-zones) - eth_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') - --# Make sure NICs are bounded to no zone --# Note: Interfaces managed by NetworkManager will be assigned to the default firewalld zone -+# Make sure all NICs are not bounded to any zone - for zone in $all_zones; do - for interface in $eth_interfaces; do - firewall-cmd --permanent --zone=$zone --remove-interface=$interface -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh -index 78918c9fee5..41fb83d9489 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh -@@ -1,9 +1,5 @@ - #!/bin/bash - # packages = firewalld --# --# remediation = none -- --# ensure firewalld installed - - all_zones=$(firewall-cmd --get-zones) - for zone in $all_zones;do -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh -index fed30230588..ab05492f74d 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh -@@ -1,9 +1,5 @@ - #!/bin/bash - # packages = firewalld --# --# remediation = none -- --# ensure firewalld installed - - # Make sure there is only one zone with ssh service enabled - all_zones=$(firewall-cmd --get-zones) -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh -index f426236466f..eabc38e7248 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh -@@ -1,8 +1,5 @@ - #!/bin/bash - # packages = firewalld --# -- --# ensure firewalld installed - - firewall-cmd --permanent --zone=public --add-service=ssh - - -From 32a41b09b0b963e3fb681a5ea617e96383e2277c Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Wed, 19 Oct 2022 08:39:04 +0200 -Subject: [PATCH 05/14] Reinvent the test scenarios for - firewalld_sshd_port_enabled - -The test scenarios were aligned to the old remediation approach, making -them also incomplete and incapable to catch real cases. Once the -remediation was robust, test scenarios also need the same level of -robustness in order to ensure the rules is as much realistic as -possible. They are now covering cases with multiple interfaces and -multiple active zones. It is also covered custom SSH port. ---- - .../tests/customized_zone_configured.pass.sh | 37 +++++++++++++++++ - .../tests/customized_zone_without_ssh.fail.sh | 37 +++++++++++++++++ - .../tests/new_zone_configured.pass.sh | 39 ++++++++++++++++++ - .../tests/new_zone_without_ssh.fail.sh | 40 +++++++++++++++++++ - .../tests/no_nic_in_ssh_zone.fail.sh | 18 --------- - .../tests/no_ssh_zone.fail.sh | 10 ----- - .../tests/only_nics_configured.fail.sh | 35 ++++++++++++++++ - .../tests/only_zones_configured.fail.sh | 34 ++++++++++++++++ - .../tests/ssh_port_enabled.pass.sh | 5 --- - .../tests/ssh_zone_and_nic_mismatch.fail.sh | 25 ------------ - .../tests/ssh_zone_nic_bounded.pass.sh | 8 ---- - .../tests/zones_and_nics_configured.pass.sh | 34 ++++++++++++++++ - .../zones_and_nics_ok_no_custom_files.pass.sh | 39 ++++++++++++++++++ - .../zones_and_nics_ok_port_changed.pass.sh | 38 ++++++++++++++++++ - 14 files changed, 333 insertions(+), 66 deletions(-) - create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh - delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh - delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh - delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh - delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh - delete mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh -new file mode 100644 -index 00000000000..9bfd1737dc8 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh -@@ -0,0 +1,37 @@ -+#!/bin/bash -+# packages = firewalld, NetworkManager -+# variables = firewalld_sshd_zone=work -+ -+# Ensure the required services are started. -+systemctl start firewalld NetworkManager -+ -+# Ensure the SSH service is enabled in run-time for the proper zone. -+# This is to avoid connection issues when new interfaces are addeded to this zone. -+firewall-cmd --zone=work --add-service=ssh -+ -+# Collect all NetworkManager connections names. -+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+ -+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. -+# This will not change connections which are already assigned to any firewalld zone. -+for connection in $nm_connections; do -+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -+ if [ $current_zone = "--" ]; then -+ nmcli connection modify "$connection" connection.zone "work" -+ fi -+done -+systemctl restart NetworkManager -+ -+# Active zones are zones with at least one interface assigned to it. -+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) -+ -+# It is possible that traffic is comming by any active interface and consequently any -+# active zone. So, this make sure all active zones are permanently allowing SSH service. -+# Most of the zones already allow ssh, so it is also allowed http to ensure a custom file is -+# created in /etc/firewalld/zones. -+for zone in $firewalld_active_zones; do -+ firewall-cmd --permanent --zone="$zone" --add-service=ssh -+ firewall-cmd --permanent --zone="$zone" --add-service=http -+done -+ -+firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh -new file mode 100644 -index 00000000000..f1d152c683e ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh -@@ -0,0 +1,37 @@ -+#!/bin/bash -+# packages = firewalld, NetworkManager -+# variables = firewalld_sshd_zone=work -+ -+# Ensure the required services are started. -+systemctl start firewalld NetworkManager -+ -+# Ensure the SSH service is enabled in run-time for the proper zone. -+# This is to avoid connection issues when new interfaces are addeded to this zone. -+firewall-cmd --zone=work --add-service=ssh -+ -+# Collect all NetworkManager connections names. -+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+ -+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. -+# This will not change connections which are already assigned to any firewalld zone. -+for connection in $nm_connections; do -+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -+ if [ $current_zone = "--" ]; then -+ nmcli connection modify "$connection" connection.zone "work" -+ fi -+done -+systemctl restart NetworkManager -+ -+# Active zones are zones with at least one interface assigned to it. -+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) -+ -+# It is possible that traffic is comming by any active interface and consequently any -+# active zone. So, this make sure all active zones are permanently allowing SSH service. -+# It is to ensure a custom file is created in /etc/firewalld/zones. -+for zone in $firewalld_active_zones; do -+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh -+ firewall-cmd --permanent --zone="$zone" --add-service=http -+done -+ -+# Do not reload, otherwise SSG Test suite will be locked out. -+#firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh -new file mode 100644 -index 00000000000..cb8849b3f9f ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh -@@ -0,0 +1,39 @@ -+#!/bin/bash -+# packages = firewalld, NetworkManager -+# variables = firewalld_sshd_zone=work -+ -+# Ensure the required services are started. -+systemctl start firewalld NetworkManager -+ -+# Create a custom zone -+custom_zone_name="custom" -+firewall-cmd --new-zone=$custom_zone_name --permanent -+firewall-cmd --reload -+ -+# Ensure the SSH service is enabled in run-time for the proper zone. -+# This is to avoid connection issues when new interfaces are addeded to this zone. -+firewall-cmd --zone=$custom_zone_name --add-service=ssh -+ -+# Collect all NetworkManager connections names. -+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+ -+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. -+# This will not change connections which are already assigned to any firewalld zone. -+for connection in $nm_connections; do -+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -+ if [ $current_zone = "--" ]; then -+ nmcli connection modify "$connection" connection.zone "$custom_zone_name" -+ fi -+done -+systemctl restart NetworkManager -+ -+# Active zones are zones with at least one interface assigned to it. -+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) -+ -+# It is possible that traffic is comming by any active interface and consequently any -+# active zone. So, this make sure all active zones are permanently allowing SSH service. -+for zone in $firewalld_active_zones "$custom_zone_name"; do -+ firewall-cmd --permanent --zone="$zone" --add-service=ssh -+done -+ -+firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh -new file mode 100644 -index 00000000000..5e0a6453df7 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh -@@ -0,0 +1,40 @@ -+#!/bin/bash -+# packages = firewalld, NetworkManager -+# variables = firewalld_sshd_zone=work -+ -+# Ensure the required services are started. -+systemctl start firewalld NetworkManager -+ -+# Create a custom zone -+custom_zone_name="custom" -+firewall-cmd --new-zone=$custom_zone_name --permanent -+firewall-cmd --reload -+ -+# Ensure the SSH service is enabled in run-time for the proper zone. -+# This is to avoid connection issues when new interfaces are addeded to this zone. -+firewall-cmd --zone=$custom_zone_name --add-service=ssh -+ -+# Collect all NetworkManager connections names. -+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+ -+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. -+# This will not change connections which are already assigned to any firewalld zone. -+for connection in $nm_connections; do -+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -+ if [ $current_zone = "--" ]; then -+ nmcli connection modify "$connection" connection.zone "$custom_zone_name" -+ fi -+done -+systemctl restart NetworkManager -+ -+# Active zones are zones with at least one interface assigned to it. -+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) -+ -+# It is possible that traffic is comming by any active interface and consequently any -+# active zone. So, this make sure all active zones are permanently allowing SSH service. -+for zone in $firewalld_active_zones "$custom_zone_name"; do -+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh -+done -+ -+# Do not reload, otherwise SSG Test suite will be locked out. -+#firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh -deleted file mode 100644 -index 21d7c0eafc4..00000000000 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_nic_in_ssh_zone.fail.sh -+++ /dev/null -@@ -1,18 +0,0 @@ --#!/bin/bash --# packages = firewalld -- --# Make sure there is a zone with ssh service enabled --firewall-cmd --permanent --zone=work --add-service=ssh -- --all_zones=$(firewall-cmd --get-zones) --eth_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') -- --# Make sure all NICs are not bounded to any zone --for zone in $all_zones; do -- for interface in $eth_interfaces; do -- firewall-cmd --permanent --zone=$zone --remove-interface=$interface -- done --done -- --# Do not reload, otherwise SSG Test suite will be locked out --# firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh -deleted file mode 100644 -index 41fb83d9489..00000000000 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/no_ssh_zone.fail.sh -+++ /dev/null -@@ -1,10 +0,0 @@ --#!/bin/bash --# packages = firewalld -- --all_zones=$(firewall-cmd --get-zones) --for zone in $all_zones;do -- firewall-cmd --permanent --zone=$zone --remove-service=ssh --done -- --# Do not reload, otherwise SSG Test suite will be locked out --# firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh -new file mode 100644 -index 00000000000..98525db2729 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh -@@ -0,0 +1,35 @@ -+#!/bin/bash -+# packages = firewalld, NetworkManager -+# variables = firewalld_sshd_zone=work -+ -+# Ensure the required services are started. -+systemctl start firewalld NetworkManager -+ -+# Ensure the SSH service is enabled in run-time for the proper zone. -+# This is to avoid connection issues when new interfaces are addeded to this zone. -+firewall-cmd --zone=work --add-service=ssh -+ -+# Collect all NetworkManager connections names. -+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+ -+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. -+# This will not change connections which are already assigned to any firewalld zone. -+for connection in $nm_connections; do -+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -+ if [ $current_zone = "--" ]; then -+ nmcli connection modify "$connection" connection.zone "work" -+ fi -+done -+systemctl restart NetworkManager -+ -+# Active zones are zones with at least one interface assigned to it. -+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) -+ -+# It is possible that traffic is comming by any active interface and consequently any -+# active zone. So, this make sure all active zones are permanently allowing SSH service. -+for zone in $firewalld_active_zones; do -+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh -+done -+ -+# Do not reload, otherwise SSG Test suite will be locked out. -+#firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh -new file mode 100644 -index 00000000000..e14d6c959dc ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh -@@ -0,0 +1,34 @@ -+#!/bin/bash -+# packages = firewalld, NetworkManager -+# variables = firewalld_sshd_zone=work -+ -+# Ensure the required services are started. -+systemctl start firewalld NetworkManager -+ -+# Ensure the SSH service is enabled in run-time for the proper zone. -+# This is to avoid connection issues when new interfaces are addeded to this zone. -+firewall-cmd --zone=work --add-service=ssh -+ -+# Collect all NetworkManager connections names. -+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+ -+# If the connection is already assigned to a firewalld zone, removes the assignment. -+# This will not change connections which are not assigned to any firewalld zone. -+for connection in $nm_connections; do -+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -+ if [ $current_zone != "--" ]; then -+ nmcli connection modify "$connection" connection.zone "" -+ fi -+done -+systemctl restart NetworkManager -+ -+readarray -t firewalld_all_zones < <(firewall-cmd --get-zones) -+ -+# Ensure all zones are permanently allowing SSH service. -+for zone in $firewalld_all_zones; do -+ firewall-cmd --permanent --zone="$zone" --add-service=ssh -+done -+ -+# It is not a problem to reload the settings since all interfaces without an explicit assgined zone -+# will be automatically assigned to the default zone. -+firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh -deleted file mode 100644 -index c9959c40937..00000000000 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_port_enabled.pass.sh -+++ /dev/null -@@ -1,5 +0,0 @@ --#!/bin/bash --# packages = firewalld -- --firewall-cmd --add-port=22/tcp --firewall-cmd --add-port=22/tcp --permanent -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh -deleted file mode 100644 -index ab05492f74d..00000000000 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_and_nic_mismatch.fail.sh -+++ /dev/null -@@ -1,25 +0,0 @@ --#!/bin/bash --# packages = firewalld -- --# Make sure there is only one zone with ssh service enabled --all_zones=$(firewall-cmd --get-zones) --for zone in $all_zones;do -- firewall-cmd --permanent --zone=$zone --remove-service=ssh --done --firewall-cmd --permanent --zone=work --add-service=ssh -- --all_interfaces=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1) -- --# Make sure NICs are bounded to no zone --for zone in $all_zones; do -- for interface in $all_interfaces; do -- firewall-cmd --permanent --zone=$zone --remove-interface=$interface -- done --done -- --eth_interfaces=$(echo "$all_interfaces" | grep -E '^(en|eth)') --# Add interface to wrong zone --firewall-cmd --permanent --zone=trusted --add-interface=${eth_interfaces[0]} -- --# Do not reload, otherwise SSG Test suite will be locked out --# firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh -deleted file mode 100644 -index eabc38e7248..00000000000 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/ssh_zone_nic_bounded.pass.sh -+++ /dev/null -@@ -1,8 +0,0 @@ --#!/bin/bash --# packages = firewalld -- --firewall-cmd --permanent --zone=public --add-service=ssh -- --eth_interface=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') -- --firewall-cmd --permanent --zone=public --add-interface=${eth_interface[0]} -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh -new file mode 100644 -index 00000000000..489fe6ae7e8 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh -@@ -0,0 +1,34 @@ -+#!/bin/bash -+# packages = firewalld, NetworkManager -+# variables = firewalld_sshd_zone=work -+ -+# Ensure the required services are started. -+systemctl start firewalld NetworkManager -+ -+# Ensure the SSH service is enabled in run-time for the proper zone. -+# This is to avoid connection issues when new interfaces are addeded to this zone. -+firewall-cmd --zone=work --add-service=ssh -+ -+# Collect all NetworkManager connections names. -+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+ -+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. -+# This will not change connections which are already assigned to any firewalld zone. -+for connection in $nm_connections; do -+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -+ if [ $current_zone = "--" ]; then -+ nmcli connection modify "$connection" connection.zone "work" -+ fi -+done -+systemctl restart NetworkManager -+ -+# Active zones are zones with at least one interface assigned to it. -+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) -+ -+# It is possible that traffic is comming by any active interface and consequently any -+# active zone. So, this make sure all active zones are permanently allowing SSH service. -+for zone in $firewalld_active_zones; do -+ firewall-cmd --permanent --zone="$zone" --add-service=ssh -+done -+ -+firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh -new file mode 100644 -index 00000000000..c53fb99de78 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh -@@ -0,0 +1,39 @@ -+#!/bin/bash -+# packages = firewalld, NetworkManager -+# variables = firewalld_sshd_zone=work -+ -+# Ensure the required services are started. -+systemctl start firewalld NetworkManager -+ -+# Ensure the SSH service is enabled in run-time for the proper zone. -+# This is to avoid connection issues when new interfaces are addeded to this zone. -+firewall-cmd --zone=work --add-service=ssh -+ -+# Collect all NetworkManager connections names. -+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+ -+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. -+# This will not change connections which are already assigned to any firewalld zone. -+for connection in $nm_connections; do -+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -+ if [ $current_zone = "--" ]; then -+ nmcli connection modify "$connection" connection.zone "work" -+ fi -+done -+systemctl restart NetworkManager -+ -+# Active zones are zones with at least one interface assigned to it. -+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) -+ -+# It is possible that traffic is comming by any active interface and consequently any -+# active zone. So, this make sure all active zones are permanently allowing SSH service. -+for zone in $firewalld_active_zones; do -+ firewall-cmd --permanent --zone="$zone" --add-service=ssh -+done -+ -+# The work zone, used in this test scenario, allows ssh by default. Therefore, it is not expected -+# the previous command will create a respective file in /etc. However, it makes sure the /etc dir -+# is empty anyways. -+rm -f /etc/firewalld/zones/* -+ -+firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh -new file mode 100644 -index 00000000000..46c4ed5f4d7 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh -@@ -0,0 +1,38 @@ -+#!/bin/bash -+# packages = firewalld, NetworkManager -+# variables = firewalld_sshd_zone=work, sshd_listening_port=2222 -+ -+# Ensure the required services are started. -+systemctl start firewalld NetworkManager -+ -+# Ensure the SSH service is enabled in run-time for the proper zone. -+# This is to avoid connection issues when new interfaces are addeded to this zone. -+firewall-cmd --zone=work --add-service=ssh -+ -+# Collect all NetworkManager connections names. -+readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+ -+# If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. -+# This will not change connections which are already assigned to any firewalld zone. -+for connection in $nm_connections; do -+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -+ if [ $current_zone = "--" ]; then -+ nmcli connection modify "$connection" connection.zone "work" -+ fi -+done -+systemctl restart NetworkManager -+ -+# Active zones are zones with at least one interface assigned to it. -+readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) -+ -+# It is possible that traffic is comming by any active interface and consequently any -+# active zone. So, this make sure all active zones are permanently allowing SSH service. -+for zone in $firewalld_active_zones; do -+ firewall-cmd --permanent --zone="$zone" --add-service=ssh -+done -+ -+cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ -+sed -i 's/port="22"/port="2222"/g' /etc/firewalld/services/ssh.xml -+ -+# Do not reload, otherwise SSG Test suite will be locked out. -+#firewall-cmd --reload - -From db26bb5efb0746c165e17294a7cde9c7e712cd85 Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Thu, 13 Oct 2022 11:51:05 +0200 -Subject: [PATCH 06/14] Recreated OVAL assessment for - firewalld_sshd_port_enabled - -There are some corner cases involving possible realistic scenarios with -firewalld and NetworkManager. Based on the remediation refactoring, the -OVAL assessment was also reformulated to be more simple and much more -reliable. It is now checking firewalld packaged files and also custom -files respecting the proper order in case of custom files. ---- - .../oval/shared.xml | 312 ++++++++++++------ - 1 file changed, 206 insertions(+), 106 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml -index e944f938a59..e4c03c9aa4d 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml -@@ -1,109 +1,209 @@ - -- -- {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to -- the SSH port (22).") }}} -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- /etc/firewalld/services -- ^.*\.xml$ -- /service/service[@name='ssh'] -- -- -- -- -- -- -- -- /etc/firewalld/services -- ^.*\.xml$ -- <port.*port="(\d+)" -- 1 -- -- -- -- -- -- -- /etc/firewalld/zones -- ^.*\.xml$ -- /zone/service[@name='ssh'] -- -- -- -- -- -- -- -- /etc/firewalld/zones -- ^.*\.xml$ -- <port.*port="(\d+)" -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- /etc/firewalld/zones -- -- /zone/service[@name='ssh'] -- -- -- -- -- -- -- .xml -- -- --{{% if product in ["fedora", "rhel9"] %}} -- -- /etc/NetworkManager/system-connections -- .*\.nmconnection -- ^zone=(.*)$ -- 1 -- --{{% else %}} -- -- /etc/sysconfig/network-scripts -- ifcfg-.* -- ^ZONE=(.*)$ -- 1 -- --{{% endif %}} -- -- -- -- -- -- -+ -+ {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to -+ the SSH service.") }}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - -+ -+ -+ -+ -+ -+ -+ -+ var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ {{% if product in ["fedora", "rhel9"] %}} -+ /etc/NetworkManager/system-connections -+ .*\.nmconnection -+ ^zone=(.*)$ -+ {{% else %}} -+ /etc/sysconfig/network-scripts -+ ifcfg-.* -+ ^ZONE=(.*)$ -+ {{% endif %}} -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ {{% if product in ["fedora", "rhel9"] %}} -+ /etc/NetworkManager/system-connections -+ .*\.nmconnection -+ {{% else %}} -+ /etc/sysconfig/network-scripts -+ ifcfg-.* -+ {{% endif %}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /usr/lib/firewalld/zones -+ -+ /zone/service[@name='ssh'] -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/firewalld/zones -+ -+ -+ -+ -+ -+ ^(dmz|external|home|internal|public|trusted|work)\.xml$ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/firewalld/zones -+ ^.*\.xml$ -+ /zone/service[@name='ssh'] -+ -+ -+ -+ /zone/service[@name='ssh'] -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /usr/lib/firewalld/services/ssh.xml -+ /service/port[@port='22'] -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/firewalld/services/ssh.xml -+ <port.*port="(\d+)" -+ 1 -+ -+ -+ -+ -+ -+ -+ - - -From 84755e320f3f8fd73151c7d8e15370a1825b080d Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Wed, 19 Oct 2022 18:36:24 +0200 -Subject: [PATCH 07/14] Introduce new Ansible remediation - -The previous remediation, besides being disaligned to the previous bash -remediation, was also problematic. It was completly rewritten in this -commit in order to be aligned to the Bash remediation. It was also -enabled this Ansible remediation for all platforms, including RHEL9. ---- - .../ansible/shared.yml | 97 +++++++++++++++---- - 1 file changed, 79 insertions(+), 18 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml -index 2553a4d2e57..fa7830761df 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml -@@ -1,28 +1,89 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol -+# platform = multi_platform_all - # reboot = false - # complexity = low - # strategy = configure - # disruption = low - --- name: Ensure firewalld is installed -- package: -+{{{ ansible_instantiate_variables("firewalld_sshd_zone") }}} -+ -+- name: '{{{ rule_title }}} - Ensure firewalld and NetworkManager packages are installed' -+ ansible.builtin.package: - name: "{{ item }}" - state: present - with_items: - - firewalld -+ - NetworkManager -+ -+- name: '{{{ rule_title }}} - Collect facts about system services' -+ ansible.builtin.service_facts: -+ register: result_services_states -+ -+- name: '{{{ rule_title }}} - Remediation is applicable if firewalld and NetworkManager services are running' -+ block: -+ - name: '{{{ rule_title }}} - Collect NetworkManager connections names' -+ ansible.builtin.shell: -+ cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 -+ register: result_nmcli_cmd_connections_names -+ changed_when: false -+ -+ - name: '{{{ rule_title }}} - Collect NetworkManager connections zones' -+ ansible.builtin.shell: -+ cmd: nmcli -f connection.zone connection show {{ item | trim }} | awk '{ print $2}' -+ register: result_nmcli_cmd_connections_zones -+ changed_when: false -+ with_items: -+ - "{{ result_nmcli_cmd_connections_names.stdout_lines }}" -+ -+ - name: '{{{ rule_title }}} - Ensure NetworkManager connections are assigned to a firewalld zone' -+ ansible.builtin.command: -+ cmd: nmcli connection modify {{ item.0 | trim }} connection.zone {{ firewalld_sshd_zone }} -+ register: result_nmcli_cmd_connections_assignment -+ with_together: -+ - "{{ result_nmcli_cmd_connections_names.stdout_lines }}" -+ - "{{ result_nmcli_cmd_connections_zones.results }}" -+ when: -+ - item.1.stdout == '--' -+ -+ - name: '{{{ rule_title }}} - Ensure NetworkManager connections changes are applied' -+ ansible.builtin.service: -+ name: NetworkManager -+ state: restarted -+ when: -+ - result_nmcli_cmd_connections_assignment is changed -+ -+ - name: '{{{ rule_title }}} - Collect firewalld active zones' -+ ansible.builtin.shell: -+ cmd: firewall-cmd --get-active-zones | grep -v interfaces -+ register: result_firewall_cmd_zones_names -+ changed_when: false -+ -+ - name: '{{{ rule_title }}} - Ensure firewalld zones allow SSH' -+ ansible.builtin.command: -+ cmd: firewall-cmd --permanent --zone={{ item }} --add-service=ssh -+ register: result_nmcli_cmd_connections_assignment -+ changed_when: -+ - "'ALREADY_ENABLED' not in result_nmcli_cmd_connections_assignment.stderr" -+ with_items: -+ - "{{ result_firewall_cmd_zones_names.stdout_lines }}" -+ -+ - name: '{{{ rule_title }}} - Ensure firewalld changes are applied' -+ ansible.builtin.service: -+ name: firewalld -+ state: reloaded -+ when: -+ - result_nmcli_cmd_connections_assignment is changed -+ when: -+ - ansible_facts.services['firewalld.service'].state == 'running' -+ - ansible_facts.services['NetworkManager.service'].state == 'running' - --{{{ ansible_instantiate_variables("sshd_listening_port") }}} -- --- name: Enable SSHD in firewalld (custom port) -- firewalld: -- port: "{{ sshd_listening_port }}/tcp" -- permanent: yes -- state: enabled -- when: sshd_listening_port != 22 -- --- name: Enable SSHD in firewalld (default port) -- firewalld: -- service: ssh -- permanent: yes -- state: enabled -- when: sshd_listening_port == 22 -+- name: '{{{ rule_title }}} - Informative message based on services states' -+ ansible.builtin.assert: -+ that: -+ - ansible_facts.services['firewalld.service'].state == 'running' -+ - ansible_facts.services['NetworkManager.service'].state == 'running' -+ fail_msg: -+ - firewalld and NetworkManager services are not active. Remediation aborted! -+ - This remediation could not be applied because it depends on firewalld and NetworkManager services running. -+ - The service is not started by this remediation in order to prevent connection issues. -+ success_msg: -+ - {{{ rule_title }}} remediation successfully executed - -From d4f81e27994e17049f448d8410b4a8cfb5a9bdd2 Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Thu, 20 Oct 2022 08:37:03 +0200 -Subject: [PATCH 08/14] Fix loop over array in bash remediation - ---- - .../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -index e1b4f0fbd20..afb89b7005a 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -@@ -19,7 +19,7 @@ if firewall-cmd --state -q; then - - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. -- for connection in $nm_connections; do -+ for connection in "${nm_connections[@]}"; do - current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') - if [ $current_zone = "--" ]; then - nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone -@@ -38,7 +38,7 @@ if firewall-cmd --state -q; then - # It is possible that traffic is comming by any active interface and consequently any - # active zone. So, this make sure all active zones are permanently allowing SSH service. - readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) -- for zone in $firewalld_active_zones; do -+ for zone in "${firewalld_active_zones[@]}"; do - firewall-cmd --permanent --zone="$zone" --add-service=ssh - done - firewall-cmd --reload - -From 403c44d66e06d5463758ba70abdca967a4173f69 Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Thu, 20 Oct 2022 10:49:20 +0200 -Subject: [PATCH 09/14] Trim nmcli connection names output - -The output from nmcli command was including leading spaces in the -connection names. This was causing the the subsequent nmcli command to -fail resulting in connections without a firewalld zone defined. ---- - .../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 4 ++-- - .../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml -index fa7830761df..6098155469c 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml -@@ -22,7 +22,7 @@ - block: - - name: '{{{ rule_title }}} - Collect NetworkManager connections names' - ansible.builtin.shell: -- cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 -+ cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g' - register: result_nmcli_cmd_connections_names - changed_when: false - -@@ -36,7 +36,7 @@ - - - name: '{{{ rule_title }}} - Ensure NetworkManager connections are assigned to a firewalld zone' - ansible.builtin.command: -- cmd: nmcli connection modify {{ item.0 | trim }} connection.zone {{ firewalld_sshd_zone }} -+ cmd: nmcli connection modify {{ item.0 }} connection.zone {{ firewalld_sshd_zone }} - register: result_nmcli_cmd_connections_assignment - with_together: - - "{{ result_nmcli_cmd_connections_names.stdout_lines }}" -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -index afb89b7005a..25e54f09477 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -@@ -15,7 +15,7 @@ if firewall-cmd --state -q; then - - if systemctl is-active NetworkManager; then - # This will collect all NetworkManager connections names -- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') - - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. - -From df8cd2df8661a3fe9fb7d5b5b493a93e1f977654 Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Thu, 20 Oct 2022 11:03:56 +0200 -Subject: [PATCH 10/14] Simplify the Bash remediation in alignment to Ansible - ---- - .../bash/shared.sh | 37 +++++++------------ - 1 file changed, 14 insertions(+), 23 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -index 25e54f09477..f883e614846 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -@@ -8,31 +8,22 @@ - {{{ bash_package_install("NetworkManager") }}} - {{{ bash_instantiate_variables("firewalld_sshd_zone") }}} - --if firewall-cmd --state -q; then -+if systemctl is-active NetworkManager && systemctl is-active firewalld; then - # First make sure the SSH service is enabled in run-time for the proper zone. - # This is to avoid connection issues when new interfaces are addeded to this zone. - firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh - -- if systemctl is-active NetworkManager; then -- # This will collect all NetworkManager connections names -- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') -- -- # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. -- # This will not change connections which are already assigned to any firewalld zone. -- for connection in "${nm_connections[@]}"; do -- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -- if [ $current_zone = "--" ]; then -- nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone -- fi -- done -- systemctl restart NetworkManager -- else -- echo " -- NetworkManager service is not active. Remediation aborted! -- This remediation could not be applied because it depends on NetworkManager service running. -- The service is not started by this remediation in order to prevent connection issues." -- exit 1 -- fi -+ # This will collect all NetworkManager connections names -+ readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') -+ # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. -+ # This will not change connections which are already assigned to any firewalld zone. -+ for connection in "${nm_connections[@]}"; do -+ current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -+ if [ $current_zone = "--" ]; then -+ nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone -+ fi -+ done -+ systemctl restart NetworkManager - - # Active zones are zones with at least one interface assigned to it. - # It is possible that traffic is comming by any active interface and consequently any -@@ -44,8 +35,8 @@ if firewall-cmd --state -q; then - firewall-cmd --reload - else - echo " -- firewalld service is not active. Remediation aborted! -- This remediation could not be applied because it depends on firewalld service running. -+ firewalld and NetworkManager services are not active. Remediation aborted! -+ This remediation could not be applied because it depends on firewalld and NetworkManager services running. - The service is not started by this remediation in order to prevent connection issues." - exit 1 - fi - -From 8642f416a9cdeb5f0bc06f44d17f845afe089ce6 Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Thu, 20 Oct 2022 11:07:31 +0200 -Subject: [PATCH 11/14] Improve wording on warning about custom ssh.xml - ---- - .../ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml -index d49a2af1d02..7446a62379d 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml -@@ -49,9 +49,10 @@ warnings: - These respective services will not be started in order to preserve any intentional change - in network components related to firewall and network interfaces. - - general: |- -- This rule also checks if the SSH port was modified by the administrator and is reflecting -- the expected port number. Although this is checked, fixing the custom ssh.xml file is not -- in the scope of the remediation since there is no reliable way to manually change the -- respective file. If the default SSH port is modified, it is on the administrator -+ This rule also checks if the SSH port was modified by the administrator in the firewalld -+ services definitions and is reflecting the expected port number. Although this is checked, -+ fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it -+ is not in the scope of the remediation since there is no reliable way to manually change -+ the respective file. If the default SSH port is modified, it is on the administrator - responsibility to ensure the firewalld customizations in the service port level are - properly configured. - -From ab738103ab2c376dea88dcd797187adfbb07053f Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Thu, 20 Oct 2022 14:25:42 +0200 -Subject: [PATCH 12/14] Optimize test scenarios - -Some conditions were removed from test scenarios in order to make them -more resilient to test environment peculiarities. ---- - .../tests/customized_zone_configured.pass.sh | 4 ++-- - .../tests/customized_zone_without_ssh.fail.sh | 4 ++-- - .../tests/new_zone_configured.pass.sh | 7 ++----- - .../tests/new_zone_without_ssh.fail.sh | 7 ++----- - .../tests/only_nics_configured.fail.sh | 2 +- - .../tests/only_zones_configured.fail.sh | 7 ++----- - .../tests/zones_and_nics_configured.pass.sh | 2 +- - .../tests/zones_and_nics_ok_no_custom_files.pass.sh | 2 +- - .../tests/zones_and_nics_ok_port_changed.pass.sh | 2 +- - 9 files changed, 14 insertions(+), 23 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh -index 9bfd1737dc8..87e6871afb1 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh -@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager - firewall-cmd --zone=work --add-service=ssh - - # Collect all NetworkManager connections names. --readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. -@@ -30,8 +30,8 @@ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep - - # Most of the zones already allow ssh, so it is also allowed http to ensure a custom file is - # created in /etc/firewalld/zones. - for zone in $firewalld_active_zones; do -- firewall-cmd --permanent --zone="$zone" --add-service=ssh - firewall-cmd --permanent --zone="$zone" --add-service=http -+ firewall-cmd --permanent --zone="$zone" --add-service=ssh - done - - firewall-cmd --reload -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh -index f1d152c683e..383907d2cb7 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh -@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager - firewall-cmd --zone=work --add-service=ssh - - # Collect all NetworkManager connections names. --readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. -@@ -29,8 +29,8 @@ readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep - - # active zone. So, this make sure all active zones are permanently allowing SSH service. - # It is to ensure a custom file is created in /etc/firewalld/zones. - for zone in $firewalld_active_zones; do -- firewall-cmd --permanent --zone="$zone" --remove-service=ssh - firewall-cmd --permanent --zone="$zone" --add-service=http -+ firewall-cmd --permanent --zone="$zone" --remove-service=ssh - done - - # Do not reload, otherwise SSG Test suite will be locked out. -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh -index cb8849b3f9f..9993e53788c 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh -@@ -15,15 +15,12 @@ firewall-cmd --reload - firewall-cmd --zone=$custom_zone_name --add-service=ssh - - # Collect all NetworkManager connections names. --readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. - for connection in $nm_connections; do -- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -- if [ $current_zone = "--" ]; then -- nmcli connection modify "$connection" connection.zone "$custom_zone_name" -- fi -+ nmcli connection modify "$connection" connection.zone "$custom_zone_name" - done - systemctl restart NetworkManager - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh -index 5e0a6453df7..1301679b344 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh -@@ -15,15 +15,12 @@ firewall-cmd --reload - firewall-cmd --zone=$custom_zone_name --add-service=ssh - - # Collect all NetworkManager connections names. --readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. - for connection in $nm_connections; do -- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -- if [ $current_zone = "--" ]; then -- nmcli connection modify "$connection" connection.zone "$custom_zone_name" -- fi -+ nmcli connection modify "$connection" connection.zone "$custom_zone_name" - done - systemctl restart NetworkManager - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh -index 98525db2729..6552f3f4214 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh -@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager - firewall-cmd --zone=work --add-service=ssh - - # Collect all NetworkManager connections names. --readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh -index e14d6c959dc..72fc492e5bf 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh -@@ -10,15 +10,12 @@ systemctl start firewalld NetworkManager - firewall-cmd --zone=work --add-service=ssh - - # Collect all NetworkManager connections names. --readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - - # If the connection is already assigned to a firewalld zone, removes the assignment. - # This will not change connections which are not assigned to any firewalld zone. - for connection in $nm_connections; do -- current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') -- if [ $current_zone != "--" ]; then -- nmcli connection modify "$connection" connection.zone "" -- fi -+ nmcli connection modify "$connection" connection.zone "" - done - systemctl restart NetworkManager - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh -index 489fe6ae7e8..02c627e5d00 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh -@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager - firewall-cmd --zone=work --add-service=ssh - - # Collect all NetworkManager connections names. --readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh -index c53fb99de78..9b3aa7d203f 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh -@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager - firewall-cmd --zone=work --add-service=ssh - - # Collect all NetworkManager connections names. --readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh -index 46c4ed5f4d7..3e27a0647b0 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh -@@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager - firewall-cmd --zone=work --add-service=ssh - - # Collect all NetworkManager connections names. --readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2) -+readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. - -From a2a49e9e8330c12b73e1c3873974bcb9a41691d4 Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Mon, 24 Oct 2022 17:04:41 +0200 -Subject: [PATCH 13/14] Remediation applicable to all NetworkManager - connections - -The remediation was initially consirering to set a firewalld zone only -to active NetworkManager connections. However, it is possible that a -system has more valid connection which are simply not in use at the -moment. These inactive connections can be used at some point and if this -happen, they will also be compliant with an explicit firewalld zone -assigned to them. This way it is indeeded ensured all connections have a -firewalld zone assigned. ---- - .../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 2 +- - .../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml -index 6098155469c..7b0bda3f10c 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml -@@ -22,7 +22,7 @@ - block: - - name: '{{{ rule_title }}} - Collect NetworkManager connections names' - ansible.builtin.shell: -- cmd: nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g' -+ cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }' - register: result_nmcli_cmd_connections_names - changed_when: false - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -index f883e614846..76822bf01d8 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh -@@ -14,7 +14,7 @@ if systemctl is-active NetworkManager && systemctl is-active firewalld; then - firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh - - # This will collect all NetworkManager connections names -- readarray -t nm_connections < <(nmcli --fields CONNECTION device status | grep -v "\-\-" | tail -n+2 | sed 's/ *$//g') -+ readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. - for connection in "${nm_connections[@]}"; do - -From 657c1cc0331b97ee37e7a2d44e50fab668c33ce1 Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Tue, 25 Oct 2022 15:40:15 +0200 -Subject: [PATCH 14/14] Improve regex to detect ifcfg files - -On RHEL7 and probably other distros which rely on ifcfg files by -default, there is a ifcfg file for the loopback interface, which is out -of the scope in this rule and should be ignored. This commit also -improved the wording in a OVAL comment to make it more clear. ---- - .../oval/shared.xml | 22 ++++++++++--------- - 1 file changed, 12 insertions(+), 10 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml -index e4c03c9aa4d..4adef2e53f5 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml -@@ -59,7 +59,7 @@ - ^zone=(.*)$ - {{% else %}} - /etc/sysconfig/network-scripts -- ifcfg-.* -+ ^ifcfg-(?!lo).* - ^ZONE=(.*)$ - {{% endif %}} - 1 -@@ -88,7 +88,7 @@ - .*\.nmconnection - {{% else %}} - /etc/sysconfig/network-scripts -- ifcfg-.* -+ ^ifcfg-(?!lo).* - {{% endif %}} - - -@@ -164,12 +164,14 @@ - - - -- -+ directory with a file with the same name. So, its necessary to ensure the file delivered -+ by the package, in the /usr/lib/firewalld/services directory, was not changed. However, -+ if the file is changed, there is necessary to ensure there is a customized service -+ properly configured by the administrator. --> - -@@ -182,9 +184,9 @@ - /service/port[@port='22'] - - -- -+ - diff --git a/SOURCES/scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch b/SOURCES/scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch deleted file mode 100644 index f15f6f4..0000000 --- a/SOURCES/scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 9a72c4cef2dd782e14f1534a52c45125671a828d Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Mon, 14 Nov 2022 15:23:32 +0100 -Subject: [PATCH 2/4] Update remediation to skip .bash_profile file - -This file can have the umask content but for a different purpose than -this rule intention. It was ignored in order to avoid changing the bash -history. Ansible and Bash were updated. ---- - .../accounts_umask_interactive_users/ansible/shared.yml | 4 +++- - .../accounts_umask_interactive_users/bash/shared.sh | 4 +++- - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml -index 67064ac4a3b..3586ae69cbe 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml -@@ -9,6 +9,8 @@ - cmd: | - for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do - for file in $(find $dir -maxdepth 1 -type f -name ".*"); do -- sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file -+ if [ "$(basename $file)" != ".bash_history" ]; then -+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file -+ fi - done - done -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh -index d5f803db313..f524ff01f9a 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh -@@ -6,6 +6,8 @@ - - {{% call iterate_over_command_output("dir", "awk -F':' '{ if ($3 >= " ~ uid_min ~ " && $3 != 65534) print $6}' /etc/passwd") -%}} - {{% call iterate_over_find_output("file", '$dir -maxdepth 1 -type f -name ".*"') -%}} --sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file" -+if [ "$(basename $file)" != ".bash_history" ]; then -+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file" -+fi - {{%- endcall %}} - {{%- endcall %}} - -From d0dcfc06b31d08cb42151463473ba0b211c54e6a Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Mon, 14 Nov 2022 15:26:04 +0100 -Subject: [PATCH 3/4] Include test scenario to test .bash_history treatment - ---- - .../tests/bash_history_ignored.pass.sh | 5 +++++ - 1 file changed, 5 insertions(+) - create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh - -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh -new file mode 100644 -index 00000000000..8eeffc233b2 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+USER="cac_user" -+useradd -m $USER -+echo "umask 022" > /home/$USER/.bash_history - -From c8dc63aad4fbe6df499192eda01d66e64bc8c9c3 Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Mon, 14 Nov 2022 15:27:26 +0100 -Subject: [PATCH 4/4] Extend OVAL check to ignore .bash_history file - -This rule targets user files where the umask can be changed. It is not the -case for .bash_history. In addition, it should be avoided to change the -.bash_history file by this rule remediations. ---- - .../accounts_umask_interactive_users/oval/shared.xml | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml -index 42dbdbbae46..6f3eaa570d7 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml -@@ -29,8 +29,14 @@ - ^\..* - ^[\s]*umask\s* - 1 -+ state_accounts_umask_interactive_users_bash_history -
- -+ -+ ^\.bash_history -+ -+ - - -Date: Tue, 8 Nov 2022 13:53:14 +0100 -Subject: [PATCH 1/7] RHEL8 STIG v1R8 requires ClientAliveCountMax 1 - -Following update from V1R8, update the STIG profile to configure -ClientAliveCountMax to 1. - -This will timeout SSH connections when client alive messages are not -received within ClientAliveInterval seconds. -This serves the purpose of disconnecting sessions when the client has -become unresponsive. ---- - .../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 + - .../services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 - - products/rhel8/profiles/stig.profile | 4 ++-- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -index bc8ee914565..df0681f3f3a 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -@@ -55,6 +55,7 @@ references: - pcidss: Req-8.1.8 - srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109 - stigid@ol7: OL07-00-040340 -+ stigid@rhel8: RHEL-08-010200 - stigid@sle12: SLES-12-030191 - stigid@ubuntu2004: UBTU-20-010036 - vmmsrg: SRG-OS-000480-VMM-002000 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -index 024cb687382..a02fa8f40db 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -@@ -54,7 +54,6 @@ references: - stigid@ol7: OL07-00-040340 - stigid@ol8: OL08-00-010200 - stigid@rhel7: RHEL-07-040340 -- stigid@rhel8: RHEL-08-010200 - stigid@sle12: SLES-12-030191 - stigid@sle15: SLES-15-010320 - vmmsrg: SRG-OS-000480-VMM-002000 -diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile -index 96dfbf6b203..d184957f28c 100644 ---- a/products/rhel8/profiles/stig.profile -+++ b/products/rhel8/profiles/stig.profile -@@ -50,7 +50,7 @@ selections: - - var_password_pam_lcredit=1 - - var_password_pam_retry=3 - - var_password_pam_minlen=15 -- # - var_sshd_set_keepalive=0 -+ - var_sshd_set_keepalive=1 - - sshd_approved_macs=stig - - sshd_approved_ciphers=stig - - sshd_idle_timeout_value=10_minutes -@@ -174,7 +174,7 @@ selections: - # they still need to be selected so it follows exactly what STIG - # states. - # RHEL-08-010200 -- - sshd_set_keepalive_0 -+ - sshd_set_keepalive - # RHEL-08-010201 - - sshd_set_idle_timeout - - -From a9f13cdff06ce7de53420b0ca65b3a8110eae85a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 8 Nov 2022 14:06:42 +0100 -Subject: [PATCH 2/7] Change verbiage on keepalive rules - -Stop using the 'idle', that implies an idle user; And -start using unresponsive, which better describes the state of network. ---- - .../ssh/ssh_server/sshd_set_keepalive/rule.yml | 15 ++++++++------- - .../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 6 +++--- - 2 files changed, 11 insertions(+), 10 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -index df0681f3f3a..7a27c134f1e 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -@@ -7,14 +7,15 @@ description: |- - during a SSH session and waits for a response from the SSH client. - The option ClientAliveInterval configures timeout after - each ClientAliveCountMax message. If the SSH server does not -- receive a response from the client, then the connection is considered idle -+ receive a response from the client, then the connection is considered unresponsive - and terminated. - For SSH earlier than v8.2, a ClientAliveCountMax value of 0 -- causes an idle timeout precisely when the ClientAliveInterval is set. -+ causes a timeout precisely when the ClientAliveInterval is set. - Starting with v8.2, a value of 0 disables the timeout functionality - completely. If the option is set to a number greater than 0, then -- the idle session will be disconnected after -- ClientAliveInterval * ClientAliveCountMax seconds. -+ the session will be disconnected after -+ ClientAliveInterval * ClientAliveCountMax seconds without receiving -+ a keep alive message. - - rationale: |- - This ensures a user login will be terminated as soon as the ClientAliveInterval -@@ -70,8 +71,8 @@ ocil: |- -
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
- If properly configured, the output should be: -
ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}
-- For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes an idle timeout precisely when -+ For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when - the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout - functionality completely. -- If the option is set to a number greater than 0, then the idle session will be disconnected after -- ClientAliveInterval * ClientAliveCountMax seconds. -+ If the option is set to a number greater than 0, then the session will be disconnected after -+ ClientAliveInterval * ClientAliveCountMax seconds witout receiving a keep alive message. -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -index a02fa8f40db..55011ab66a7 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -@@ -10,10 +10,10 @@ description: |- - during a SSH session and waits for a response from the SSH client. - The option ClientAliveInterval configures timeout after - each ClientAliveCountMax message. If the SSH server does not -- receive a response from the client, then the connection is considered idle -+ receive a response from the client, then the connection is considered unresponsive - and terminated. - -- To ensure the SSH idle timeout occurs precisely when the -+ To ensure the SSH timeout occurs precisely when the - ClientAliveInterval is set, set the ClientAliveCountMax to - value of 0 in - {{{ sshd_config_file() }}} -@@ -73,7 +73,7 @@ ocil: |- - If properly configured, the output should be: -
ClientAliveCountMax 0
- -- In this case, the SSH idle timeout occurs precisely when -+ In this case, the SSH timeout occurs precisely when - the ClientAliveInterval is set. - - template: - -From 587cec666b6379995e38a90bcd0ed86bbf4bd3e3 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 8 Nov 2022 14:27:50 +0100 -Subject: [PATCH 3/7] Add tests to check for configuration conflicts - ---- - .../sshd_set_keepalive/tests/param_conflict.fail.sh | 11 +++++++++++ - .../tests/param_conflict_directory.fail.sh | 13 +++++++++++++ - 2 files changed, 24 insertions(+) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh -new file mode 100644 -index 00000000000..54441cbb5b6 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+ -+mkdir -p /etc/ssh/sshd_config.d -+touch /etc/ssh/sshd_config.d/nothing -+ -+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then -+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -+fi -+ -+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config -+echo "ClientAliveCountMax 1" >> /etc/ssh/sshd_config -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh -new file mode 100644 -index 00000000000..aa6931cc243 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+ -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 -+ -+mkdir -p /etc/ssh/sshd_config.d -+touch /etc/ssh/sshd_config.d/nothing -+ -+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then -+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -+fi -+ -+echo "ClientAliveCountMax 0" > /etc/ssh/sshd_config.d/good_config.conf -+echo "ClientAliveCountMax 1" > /etc/ssh/sshd_config.d/bad_config.conf - -From d07a7f33cc5dd486d5d56ce71b90118366b68091 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 8 Nov 2022 17:09:16 +0100 -Subject: [PATCH 4/7] Check all instances of ClientAliveCountMax - -The rule was only checking the first occurence of ClientAliveCountMax, -but we need to check that all and any occurrences of -ClientAliveCountMax are compliant. ---- - .../services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml -index 5e07d982821..404c36c8dbc 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml -@@ -49,7 +49,7 @@ - - /etc/ssh/sshd_config - ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$ -- 1 -+ 1 - - {{%- if sshd_distributed_config == "true" %}} - -Date: Tue, 8 Nov 2022 17:40:26 +0100 -Subject: [PATCH 5/7] Add test to check for configuration conflicts - -Add test for non distributed ssh config conflicts for -ClientAliveInterval. ---- - .../tests/param_conflict.fail.sh | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh -new file mode 100644 -index 00000000000..1e14aa3da36 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh -@@ -0,0 +1,15 @@ -+#!/bin/bash -+ -+mkdir -p /etc/ssh/sshd_config.d -+touch /etc/ssh/sshd_config.d/nothing -+ -+if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then -+ sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -+fi -+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then -+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -+fi -+ -+echo "ClientAliveInterval 6000" >> /etc/ssh/sshd_config -+echo "ClientAliveInterval 200" >> /etc/ssh/sshd_config -+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config - -From c19d5400bd3ded71aae9175f27361065c962069e Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 8 Nov 2022 17:41:19 +0100 -Subject: [PATCH 6/7] Change verbiage on idle timeout rule - -The config is not really about idle user timeout, the config is about -unresponsive network timeout. ---- - .../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -index aa085894f61..c5606aac557 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -@@ -1,12 +1,12 @@ - documentation_complete: true - --title: 'Set SSH Idle Timeout Interval' -+title: 'Set SSH Client Alive Interval' - - description: |- -- SSH allows administrators to set an idle timeout interval. After this interval -- has passed, the idle user will be automatically logged out. -+ SSH allows administrators to set a network responsiveness timeout interval. -+ After this interval has passed, the unresponsive client will be automatically logged out. -

-- To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as -+ To set this timeout interval, edit the following line in /etc/ssh/sshd_config as - follows: -
ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}
-

-@@ -15,7 +15,7 @@ description: |- -

- If a shorter timeout has already been set for the login shell, that value will - preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that -- some processes may stop SSH from correctly detecting that the user is idle. -+ some processes may stop SSH from correctly detecting that the user is idle. - - rationale: |- - Terminating an idle ssh session within a short time period reduces the window of -@@ -81,7 +81,7 @@ ocil: |- - - warnings: - - dependency: |- -- SSH disconnecting idle clients will not have desired effect without also -+ SSH disconnecting unresponsive clients will not have desired effect without also - configuring ClientAliveCountMax in the SSH service configuration. - - general: |- - Following conditions may prevent the SSH session to time out: - -From 86b1a6147582c896e1bb49a0649493eeec37a8d4 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 9 Nov 2022 11:31:50 +0100 -Subject: [PATCH 7/7] Update profile stability test data - ---- - tests/data/profile_stability/rhel8/stig.profile | 3 ++- - tests/data/profile_stability/rhel8/stig_gui.profile | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index cadc3f5fc7a..51971451996 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -371,7 +371,7 @@ selections: - - sshd_print_last_log - - sshd_rekey_limit - - sshd_set_idle_timeout --- sshd_set_keepalive_0 -+- sshd_set_keepalive - - sshd_use_strong_rng - - sshd_x11_use_localhost - - sssd_certificate_verification -@@ -441,6 +441,7 @@ selections: - - var_password_pam_ucredit=1 - - var_password_pam_lcredit=1 - - var_password_pam_retry=3 -+- var_sshd_set_keepalive=1 - - sshd_approved_macs=stig - - sshd_approved_ciphers=stig - - sshd_idle_timeout_value=10_minutes -diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile -index bde4e18b068..fd150744167 100644 ---- a/tests/data/profile_stability/rhel8/stig_gui.profile -+++ b/tests/data/profile_stability/rhel8/stig_gui.profile -@@ -381,7 +381,7 @@ selections: - - sshd_print_last_log - - sshd_rekey_limit - - sshd_set_idle_timeout --- sshd_set_keepalive_0 -+- sshd_set_keepalive - - sshd_use_strong_rng - - sshd_x11_use_localhost - - sssd_certificate_verification -@@ -449,6 +449,7 @@ selections: - - var_password_pam_ucredit=1 - - var_password_pam_lcredit=1 - - var_password_pam_retry=3 -+- var_sshd_set_keepalive=1 - - sshd_approved_macs=stig - - sshd_approved_ciphers=stig - - sshd_idle_timeout_value=10_minutes diff --git a/SOURCES/scap-security-guide-0.1.65-stig_rhel8_rekeylimit-PR_9800.patch b/SOURCES/scap-security-guide-0.1.65-stig_rhel8_rekeylimit-PR_9800.patch deleted file mode 100644 index 7069c5d..0000000 --- a/SOURCES/scap-security-guide-0.1.65-stig_rhel8_rekeylimit-PR_9800.patch +++ /dev/null @@ -1,142 +0,0 @@ -From e4bcce25933c474cb2358411e30917d30fdf6eb7 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 10 Nov 2022 10:13:16 +0100 -Subject: [PATCH 1/3] Add tests to check for RekeyLimit conflicts - ---- - .../sshd_rekey_limit/tests/param_conflict.fail.sh | 13 +++++++++++++ - .../tests/param_conflict_directory.fail.sh | 15 +++++++++++++++ - 2 files changed, 28 insertions(+) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh -new file mode 100644 -index 00000000000..0eb6aab6804 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+ -+SSHD_PARAM="RekeyLimit" -+ -+mkdir -p /etc/ssh/sshd_config.d -+touch /etc/ssh/sshd_config.d/nothing -+ -+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then -+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -+fi -+ -+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config -+echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh -new file mode 100644 -index 00000000000..bc254a3a57c ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh -@@ -0,0 +1,15 @@ -+#!/bin/bash -+ -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 -+ -+SSHD_PARAM="RekeyLimit" -+ -+mkdir -p /etc/ssh/sshd_config.d -+touch /etc/ssh/sshd_config.d/nothing -+ -+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then -+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -+fi -+ -+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config.d/good_config.conf -+echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config.d/bad_config.conf - -From 2654d659b4dbe7eed9794005153ea3f147b27320 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 10 Nov 2022 10:32:35 +0100 -Subject: [PATCH 2/3] Separate the SSHD parameter from the value - -Separate the SSHD paramater RekeyLimit from the compliant values. -This makes it possible to collect all occurrences of RekeyLimit and -compare each of then with the compliant values. ---- - .../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml -index b2dd9039200..38c8a84aa3f 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml -@@ -24,30 +24,36 @@ - - - -+ - - - - {{{ sshd_config_path }}} -- -+ ^[\s]*{{{ parameter }}}[\s]+(.*)$ - 1 - - - {{%- if sshd_distributed_config == "true" %}} - - -+ - - - - {{{ sshd_config_dir}}} - .*\.conf$ -- -+ ^[\s]*{{{ parameter }}}[\s]+(.*)$ - 1 - - {{%- endif %}} - -+ -+ -+ -+ - - -- ^[\s]*{{{ parameter }}}[\s]+ -+ ^ - - [\s]+ - - -From f5847d8362e7331fde049f3c56f6bb4f44fb18f1 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 10 Nov 2022 10:39:45 +0100 -Subject: [PATCH 3/3] Add test for duplicated SSHD parameter - -Ensure the rule still passes when a parameter is defined multiple times -but have the same value. ---- - .../tests/duplicated_param.pass.sh | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh -new file mode 100644 -index 00000000000..2e0d8145abd ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh -@@ -0,0 +1,14 @@ -+#!/bin/bash -+ -+SSHD_PARAM="RekeyLimit" -+ -+mkdir -p /etc/ssh/sshd_config.d -+touch /etc/ssh/sshd_config.d/nothing -+ -+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then -+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -+fi -+ -+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config -+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config -+ diff --git a/SOURCES/scap-security-guide-0.1.65-stig_rhel8_sshd_disable_compression-PR_9798.patch b/SOURCES/scap-security-guide-0.1.65-stig_rhel8_sshd_disable_compression-PR_9798.patch deleted file mode 100644 index 6dbce06..0000000 --- a/SOURCES/scap-security-guide-0.1.65-stig_rhel8_sshd_disable_compression-PR_9798.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 93b9ab4f532710a8c063d7a71cbbeee26be2470b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 8 Nov 2022 18:01:17 +0100 -Subject: [PATCH] Add test for param conflicts for SSH compression - ---- - .../tests/param_conflict.fail.sh | 13 +++++++++++++ - .../tests/param_conflict_directory.fail.sh | 15 +++++++++++++++ - 2 files changed, 28 insertions(+) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh -new file mode 100644 -index 00000000000..a631b3207bd ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+ -+SSHD_PARAM="Compression" -+ -+mkdir -p /etc/ssh/sshd_config.d -+touch /etc/ssh/sshd_config.d/nothing -+ -+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then -+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -+fi -+ -+echo "${SSHD_PARAM} no" >> /etc/ssh/sshd_config -+echo "${SSHD_PARAM} yes" >> /etc/ssh/sshd_config -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh -new file mode 100644 -index 00000000000..f1c15c139c7 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh -@@ -0,0 +1,15 @@ -+#!/bin/bash -+ -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 -+ -+SSHD_PARAM="Compression" -+ -+mkdir -p /etc/ssh/sshd_config.d -+touch /etc/ssh/sshd_config.d/nothing -+ -+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then -+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -+fi -+ -+echo "${SSHD_PARAM} no" > /etc/ssh/sshd_config.d/good_config.conf -+echo "${SSHD_PARAM} yes" > /etc/ssh/sshd_config.d/bad_config.conf diff --git a/SOURCES/scap-security-guide-0.1.65-sysctl_usr_local_lib_sysctl.d-PR_9818.patch b/SOURCES/scap-security-guide-0.1.65-sysctl_usr_local_lib_sysctl.d-PR_9818.patch deleted file mode 100644 index 7059572..0000000 --- a/SOURCES/scap-security-guide-0.1.65-sysctl_usr_local_lib_sysctl.d-PR_9818.patch +++ /dev/null @@ -1,202 +0,0 @@ -From c0320e5b1fc9257ef87956afc845fcbc579a080c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 14 Nov 2022 15:16:32 +0100 -Subject: [PATCH 1/4] Add tests for sysctls in /usr/local/lib/sysctl.d - -Sysctl options can also be defined in /usr/local/lib/sysctl.d/ ---- - .../tests/correct_value_usr_local_lib.pass.sh | 14 ++++++++++++++ - .../sysctl/tests/wrong_value_usr_local_lib.fail.sh | 14 ++++++++++++++ - 2 files changed, 28 insertions(+) - create mode 100644 shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh - create mode 100644 shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh - -diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh -new file mode 100644 -index 00000000000..3e366a9162f ---- /dev/null -+++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh -@@ -0,0 +1,14 @@ -+#!/bin/bash -+{{% if SYSCTLVAL == "" %}} -+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} -+{{% endif %}} -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /usr/local/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf -+mkdir /usr/local/lib/sysctl.d/ -+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /usr/local/lib/sysctl.d/correct.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}" -diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh -new file mode 100644 -index 00000000000..fee34ea272f ---- /dev/null -+++ b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh -@@ -0,0 +1,14 @@ -+#!/bin/bash -+{{% if SYSCTLVAL == "" %}} -+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} -+{{% endif %}} -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf -+mkdir /usr/local/lib/sysctl.d/ -+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/local/lib/sysctl.d/wrong.conf -+ -+# Setting correct runtime value -+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}" - -From 81d45583b4ebd42302d9734447082afc97587ed8 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 14 Nov 2022 15:19:15 +0100 -Subject: [PATCH 2/4] sysctl: Check /usr/local/lib/sysctl.d for configs - -Update the template so that /usr/local/lib/sysctl.d is also checked for -sysctl onfigurations. ---- - shared/templates/sysctl/oval.template | 24 +++++++++++++++++++++++- - 1 file changed, 23 insertions(+), 1 deletion(-) - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index bbe646274f6..3fe6de1c185 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -138,6 +138,8 @@ - - {{% endif %}} -+ - - {{% if target_oval_version >= [5, 11] %}} - -@@ -181,6 +183,13 @@ - - {{% endif %}} - -+ -+ {{{ state_static_sysctld("usr_local_lib_sysctld") }}} -+ -+ - - - -@@ -190,7 +199,7 @@ - - - object_static_etc_sysctls_{{{ rule_id }}} -- object_static_run_usr_sysctls_{{{ rule_id }}} -+ object_static_run_usr_local_sysctls_{{{ rule_id }}} - - - -@@ -201,6 +210,13 @@ - -
- -+ -+ -+ object_static_usr_local_lib_sysctld_{{{ rule_id }}} -+ object_static_run_usr_sysctls_{{{ rule_id }}} -+ -+ -+ - - - object_static_run_sysctld_{{{ rule_id }}} -@@ -227,6 +243,12 @@ - {{{ sysctl_match() }}} - - -+ -+ /usr/local/lib/sysctl.d -+ ^.*\.conf$ -+ {{{ sysctl_match() }}} -+ -+ - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - - /usr/lib/sysctl.d - -From e863b901b4cca177a67dd11d40a5b4d9ce6deaba Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 14 Nov 2022 15:35:17 +0100 -Subject: [PATCH 3/4] sysctl: Align Ansible and Bash remediations - -The Ansible remediation for some products were not aligned with the Bash -one. ---- - shared/templates/sysctl/ansible.template | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template -index edc4d3fb667..d67cdd2068c 100644 ---- a/shared/templates/sysctl/ansible.template -+++ b/shared/templates/sysctl/ansible.template -@@ -9,12 +9,15 @@ - paths: - - "/etc/sysctl.d/" - - "/run/sysctl.d/" -+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -+ - "/usr/lib/sysctl.d/" -+{{% endif %}} - contains: '^[\s]*{{{ SYSCTLVAR }}}.*$' - patterns: "*.conf" - file_type: any - register: find_sysctl_d - --- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files -+- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from config files - replace: - path: "{{ item.path }}" - regexp: '^[\s]*{{{ SYSCTLVAR }}}' - -From 528715c89910afdfb0287b7f405d6849b5701ecb Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 14 Nov 2022 15:36:59 +0100 -Subject: [PATCH 4/4] sysctl: remove settings in /usr/local/lib/sysctl.d - -Also check for sysctl configs /usr/local/lib/sysctl.d for sysctl options -and comment them out. ---- - shared/templates/sysctl/ansible.template | 1 + - shared/templates/sysctl/bash.template | 4 ++-- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template -index d67cdd2068c..3ac5d072fcf 100644 ---- a/shared/templates/sysctl/ansible.template -+++ b/shared/templates/sysctl/ansible.template -@@ -9,6 +9,7 @@ - paths: - - "/etc/sysctl.d/" - - "/run/sysctl.d/" -+ - "/usr/local/lib/sysctl.d/" - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - - "/usr/lib/sysctl.d/" - {{% endif %}} -diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template -index 27935c33612..83f50a74a06 100644 ---- a/shared/templates/sysctl/bash.template -+++ b/shared/templates/sysctl/bash.template -@@ -6,9 +6,9 @@ - - # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} --for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do -+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do - {{% else %}} --for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do -+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - {{% endif %}} - matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq ) - if ! test -z "$matching_list"; then diff --git a/SOURCES/scap-security-guide-0.1.65-update_rhel8_stig_to_v1r8-PR_9780.patch b/SOURCES/scap-security-guide-0.1.65-update_rhel8_stig_to_v1r8-PR_9780.patch deleted file mode 100644 index e1bfb54..0000000 --- a/SOURCES/scap-security-guide-0.1.65-update_rhel8_stig_to_v1r8-PR_9780.patch +++ /dev/null @@ -1,6320 +0,0 @@ -From 2de56fa60573836543387b250fdd94c19f055393 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 8 Nov 2022 11:30:33 +0100 -Subject: [PATCH 1/4] Update DISA RHEL8 STIG manual benchmark to V1R8 - ---- - ... => disa-stig-rhel8-v1r8-xccdf-manual.xml} | 1021 +++++++++++------ - 1 file changed, 669 insertions(+), 352 deletions(-) - rename shared/references/{disa-stig-rhel8-v1r7-xccdf-manual.xml => disa-stig-rhel8-v1r8-xccdf-manual.xml} (87%) - -diff --git a/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r8-xccdf-manual.xml -similarity index 87% -rename from shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml -rename to shared/references/disa-stig-rhel8-v1r8-xccdf-manual.xml -index a02819d3002..f92f552c3ba 100644 ---- a/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml -+++ b/shared/references/disa-stig-rhel8-v1r8-xccdf-manual.xml -@@ -1,28 +1,31 @@ --acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 7 Benchmark Date: 27 Jul 20223.3.0.273751.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>