From a8c580020dc7e53bf0519dbd5961e4fd02890909 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 20 2021 13:28:51 +0000 Subject: import scap-security-guide-0.1.54-7.el7_9 --- diff --git a/SOURCES/centos-debranding.patch b/SOURCES/centos-debranding.patch deleted file mode 100644 index eacd278..0000000 --- a/SOURCES/centos-debranding.patch +++ /dev/null @@ -1,216 +0,0 @@ -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/C2S.profile scap-security-guide-0.1.46/rhel7/profiles/C2S.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/C2S.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/C2S.profile 2020-04-02 00:13:14.710523405 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'C2S for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile demonstrates compliance against the - U.S. Government Commercial Cloud Services (C2S) baseline. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/cjis.profile scap-security-guide-0.1.46/rhel7/profiles/cjis.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/cjis.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/cjis.profile 2020-04-02 00:14:09.815642451 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Criminal Justice Information Services (CJIS) Security Policy' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile is derived from FBI's CJIS v5.4 - Security Policy. A copy of this policy can be found at the CJIS Security - Policy Resource Center: -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/cui.profile scap-security-guide-0.1.46/rhel7/profiles/cui.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/cui.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/cui.profile 2020-04-02 00:14:39.735707092 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - From NIST 800-171, Section 2.2: - Security requirements for protecting the confidentiality of CUI in non-federal - information systems and organizations have a well-defined structure that -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/e8.profile scap-security-guide-0.1.46/rhel7/profiles/e8.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/e8.profile 2020-04-02 00:07:38.530797155 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/e8.profile 2020-04-02 00:15:34.521825440 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Australian Cyber Security Centre (ACSC) Essential Eight' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configuration checks for Red Hat Enterprise Linux 7 - that align to the Australian Cyber Security Centre (ACSC) Essential Eight. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/hipaa.profile scap-security-guide-0.1.46/rhel7/profiles/hipaa.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/hipaa.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/hipaa.profile 2020-04-02 00:16:12.605907713 +0000 -@@ -3,6 +3,8 @@ documentation_complete: True - title: 'Health Insurance Portability and Accountability Act (HIPAA)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - The HIPAA Security Rule establishes U.S. national standards to protect individuals’ - electronic personal health information that is created, received, used, or - maintained by a covered entity. The Security Rule requires appropriate -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ncp.profile scap-security-guide-0.1.46/rhel7/profiles/ncp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/ncp.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/ncp.profile 2020-04-02 00:19:00.198269763 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'NIST National Checklist Program Security Guide' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This compliance profile reflects the core set of security - related configuration settings for deployment of Red Hat Enterprise - Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ospp.profile scap-security-guide-0.1.46/rhel7/profiles/ospp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/ospp.profile 2020-04-02 00:07:38.523797140 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/ospp.profile 2020-04-02 00:18:53.448255187 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'OSPP - Protection Profile for General Purpose Operating Systems v4.2.1' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile reflects mandatory configuration controls identified in the - NIAP Configuration Annex to the Protection Profile for General Purpose - Operating Systems (Protection Profile Version 4.2.1). -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/pci-dss.profile scap-security-guide-0.1.46/rhel7/profiles/pci-dss.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/pci-dss.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/pci-dss.profile 2020-04-02 00:19:22.109317098 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - Ensures PCI-DSS v3.2.1 security configuration settings are applied. - - selections: -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-stig.profile scap-security-guide-0.1.46/rhel7/profiles/rhelh-stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-stig.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/rhelh-stig.profile 2020-04-02 00:20:04.168407959 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This *draft* profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH). - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-vpp.profile scap-security-guide-0.1.46/rhel7/profiles/rhelh-vpp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-vpp.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/rhelh-vpp.profile 2020-04-02 00:18:01.448142852 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This compliance profile reflects the core set of security - related configuration settings for deployment of Red Hat Enterprise - Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rht-ccp.profile scap-security-guide-0.1.46/rhel7/profiles/rht-ccp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/rht-ccp.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/rht-ccp.profile 2020-04-02 00:20:25.205453406 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains the minimum security relevant - configuration settings recommended by Red Hat, Inc for - Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/standard.profile scap-security-guide-0.1.46/rhel7/profiles/standard.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/standard.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/standard.profile 2020-04-02 00:21:05.637540751 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Standard System Security Profile for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains rules to ensure standard security baseline - of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload - all of these checks should pass. -diff -uNrp scap-security-guide-0.1.54.orig/rhel7/profiles/anssi_nt28_enhanced.profile scap-security-guide-0.1.54/rhel7/profiles/anssi_nt28_enhanced.profile ---- scap-security-guide-0.1.54.orig/rhel7/profiles/anssi_nt28_enhanced.profile 2021-04-27 16:26:32.968036292 +0000 -+++ scap-security-guide-0.1.54/rhel7/profiles/anssi_nt28_enhanced.profile 2021-04-27 16:32:59.501871327 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'ANSSI-BP-028 (enhanced)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level. - - ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. -diff -uNrp scap-security-guide-0.1.54.orig/rhel7/profiles/anssi_nt28_high.profile scap-security-guide-0.1.54/rhel7/profiles/anssi_nt28_high.profile ---- scap-security-guide-0.1.54.orig/rhel7/profiles/anssi_nt28_high.profile 2021-04-27 16:26:32.968036292 +0000 -+++ scap-security-guide-0.1.54/rhel7/profiles/anssi_nt28_high.profile 2021-04-27 16:33:22.015919959 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'DRAFT - ANSSI-BP-028 (high)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. - - ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. -diff -uNrp scap-security-guide-0.1.54.orig/rhel7/profiles/anssi_nt28_intermediary.profile scap-security-guide-0.1.54/rhel7/profiles/anssi_nt28_intermediary.profile ---- scap-security-guide-0.1.54.orig/rhel7/profiles/anssi_nt28_intermediary.profile 2021-04-27 16:26:32.968036292 +0000 -+++ scap-security-guide-0.1.54/rhel7/profiles/anssi_nt28_intermediary.profile 2021-04-27 16:33:46.957973842 +0000 -@@ -4,6 +4,8 @@ documentation_complete: true - title: 'ANSSI-BP-028 (intermediary)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level. - - ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. -diff -uNrp scap-security-guide-0.1.54.orig/rhel7/profiles/anssi_nt28_minimal.profile scap-security-guide-0.1.54/rhel7/profiles/anssi_nt28_minimal.profile ---- scap-security-guide-0.1.54.orig/rhel7/profiles/anssi_nt28_minimal.profile 2021-04-27 16:26:32.968036292 +0000 -+++ scap-security-guide-0.1.54/rhel7/profiles/anssi_nt28_minimal.profile 2021-04-27 16:34:23.703053225 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'ANSSI-BP-028 (minimal)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level. - - ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. -diff -uNrp scap-security-guide-0.1.54.orig/rhel7/profiles/cis.profile scap-security-guide-0.1.54/rhel7/profiles/cis.profile ---- scap-security-guide-0.1.54.orig/rhel7/profiles/cis.profile 2021-02-03 10:54:10.000000000 +0000 -+++ scap-security-guide-0.1.54/rhel7/profiles/cis.profile 2021-04-27 16:34:49.526109008 +0000 -@@ -12,6 +12,8 @@ reference: https://www.cisecurity.org/ci - title: 'CIS Red Hat Enterprise Linux 7 Benchmark' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile defines a baseline that aligns to the Center for Internet Security® - Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017. - -diff -uNrp scap-security-guide-0.1.54.orig/rhel7/profiles/stig.profile scap-security-guide-0.1.54/rhel7/profiles/stig.profile ---- scap-security-guide-0.1.54.orig/rhel7/profiles/stig.profile 2021-04-27 16:26:32.906036158 +0000 -+++ scap-security-guide-0.1.54/rhel7/profiles/stig.profile 2021-04-27 16:38:56.557642673 +0000 -@@ -10,6 +10,8 @@ reference: https://public.cyber.mil/stig - title: 'DISA STIG for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux V3R2. - diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch index c56558c..77d7ae4 100644 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -5,7 +5,6 @@ Subject: [PATCH] Disable profiles that are not in good shape for RHEL8 --- rhel8/CMakeLists.txt | 6 ------ - rhel8/profiles/anssi_bp28_high.profile | 2 +- rhel8/profiles/cjis.profile | 2 +- rhel8/profiles/ism_o.profile | 2 +- rhel8/profiles/rhelh-stig.profile | 2 +- @@ -18,7 +17,7 @@ diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt index d61689c97..5e444a101 100644 --- a/rhel8/CMakeLists.txt +++ b/rhel8/CMakeLists.txt -@@ -14,15 +14,13 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") +@@ -14,8 +14,7 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") ssg_build_html_table_by_ref(${PRODUCT} "pcidss") ssg_build_html_table_by_ref(${PRODUCT} "anssi") @@ -27,23 +26,6 @@ index d61689c97..5e444a101 100644 ssg_build_html_nistrefs_table(${PRODUCT} "stig") ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal") - ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary") - ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced") --ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high") - - ssg_build_html_cce_table(${PRODUCT}) - - ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE}) -diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile -index ccad93d67..6a854378c 100644 ---- a/rhel8/profiles/anssi_bp28_high.profile -+++ b/rhel8/profiles/anssi_bp28_high.profile -@@ -1,4 +1,4 @@ --documentation_complete: true -+documentation_complete: false - - title: 'ANSSI BP-028 (high)' - diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile index 035d2705b..c6475f33e 100644 --- a/rhel8/profiles/cjis.profile diff --git a/SOURCES/remove-ANSSI-high-ks.patch b/SOURCES/remove-ANSSI-high-ks.patch deleted file mode 100644 index 5298c70..0000000 --- a/SOURCES/remove-ANSSI-high-ks.patch +++ /dev/null @@ -1,187 +0,0 @@ -From 8e43a6a6432a8cbeb5742771ddbd0856669a7878 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 17 Feb 2021 15:36:59 +0100 -Subject: [PATCH] Remove kickstart for profile not shipped - -RHEL-8 ANSSI high is not shipped at the momment ---- - .../ssg-rhel8-anssi_bp28_high-ks.cfg | 167 ------------------ - 1 file changed, 167 deletions(-) - delete mode 100644 rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg - -diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg -deleted file mode 100644 -index b5c09253a..000000000 ---- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg -+++ /dev/null -@@ -1,167 +0,0 @@ --# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8 --# Version: 0.0.1 --# Date: 2020-12-10 --# --# Based on: --# https://pykickstart.readthedocs.io/en/latest/ --# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg -- --# Specify installation method to use for installation --# To use a different one comment out the 'url' one below, update --# the selected choice with proper options & un-comment it --# --# Install from an installation tree on a remote server via FTP or HTTP: --# --url the URL to install from --# --# Example: --# --# url --url=http://192.168.122.1/image --# --# Modify concrete URL in the above example appropriately to reflect the actual --# environment machine is to be installed in --# --# Other possible / supported installation methods: --# * install from the first CD-ROM/DVD drive on the system: --# --# cdrom --# --# * install from a directory of ISO images on a local drive: --# --# harddrive --partition=hdb2 --dir=/tmp/install-tree --# --# * install from provided NFS server: --# --# nfs --server= --dir= [--opts=] --# --# Set language to use during installation and the default language to use on the installed system (required) --lang en_US.UTF-8 -- --# Set system keyboard type / layout (required) --keyboard us -- --# Configure network information for target system and activate network devices in the installer environment (optional) --# --onboot enable device at a boot time --# --device device to be activated and / or configured with the network command --# --bootproto method to obtain networking configuration for device (default dhcp) --# --noipv6 disable IPv6 on this device --# --# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, --# "--bootproto=static" must be used. For example: --# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 --# --network --onboot yes --bootproto dhcp --noipv6 -- --# Set the system's root password (required) --# Plaintext password is: server --# Refer to e.g. --# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw --# to see how to create encrypted password form for different plaintext password --rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 -- --# The selected profile will restrict root login --# Add a user that can login and escalate privileges --# Plaintext password is: admin123 --user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted -- --# Configure firewall settings for the system (optional) --# --enabled reject incoming connections that are not in response to outbound requests --# --ssh allow sshd service through the firewall --firewall --enabled --ssh -- --# State of SELinux on the installed system (optional) --# Defaults to enforcing --selinux --enforcing -- --# Set the system time zone (required) --timezone --utc America/New_York -- --# Specify how the bootloader should be installed (required) --# Plaintext password is: password --# Refer to e.g. --# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw --# to see how to create encrypted password form for different plaintext password --bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 -- --# Initialize (format) all disks (optional) --zerombr -- --# The following partition layout scheme assumes disk of size 20GB or larger --# Modify size of partitions appropriately to reflect actual machine's hardware --# --# Remove Linux partitions from the system prior to creating new ones (optional) --# --linux erase all Linux partitions --# --initlabel initialize the disk label to the default based on the underlying architecture --clearpart --linux --initlabel -- --# Create primary system partitions (required for installs) --part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" --part pv.01 --grow --size=1 -- --# Create a Logical Volume Management (LVM) group (optional) --volgroup VolGroup --pesize=4096 pv.01 -- --# Create particular logical volumes (optional) --logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow --# Ensure /usr Located On Separate Partition --logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" --# Ensure /opt Located On Separate Partition --logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" --# Ensure /srv Located On Separate Partition --logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" --# Ensure /home Located On Separate Partition --logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" --# Ensure /tmp Located On Separate Partition --logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" --# Ensure /var/tmp Located On Separate Partition --logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" --# Ensure /var Located On Separate Partition --logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" --# Ensure /var/log Located On Separate Partition --logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" --# Ensure /var/log/audit Located On Separate Partition --logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" --logvol swap --name=swap --vgname=VolGroup --size=2016 -- --# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) --# content - security policies - on the installed system.This add-on has been enabled by default --# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this --# functionality will automatically be installed. However, by default, no policies are enforced, --# meaning that no checks are performed during or after installation unless specifically configured. --# --# Important --# Applying a security policy is not necessary on all systems. This screen should only be used --# when a specific policy is mandated by your organization rules or government regulations. --# Unlike most other commands, this add-on does not accept regular options, but uses key-value --# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. --# Values can be optionally enclosed in single quotes (') or double quotes ("). --# --# The following keys are recognized by the add-on: --# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. --# - If the content-type is scap-security-guide, the add-on will use content provided by the --# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. --# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. --# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. --# xccdf-id - ID of the benchmark you want to use. --# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. --# profile - ID of the profile to be applied. Use default to apply the default profile. --# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. --# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. --# --# The following is an example %addon org_fedora_oscap section which uses content from the --# scap-security-guide on the installation media: --%addon org_fedora_oscap -- content-type = scap-security-guide -- profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high --%end -- --# Packages selection (%packages section is required) --%packages -- --# Require @Base --@Base -- --%end # End of %packages section -- --# Reboot after the installation is complete (optional) --# --eject attempt to eject CD or DVD media before rebooting --reboot --eject --- -2.26.2 - diff --git a/SOURCES/scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch b/SOURCES/scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch index 9903603..5138d9a 100644 --- a/SOURCES/scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch +++ b/SOURCES/scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch @@ -172,7 +172,7 @@ index 6b0489e0f1..2853f20607 100644 --- a/rhel8/profiles/anssi_bp28_high.profile +++ b/rhel8/profiles/anssi_bp28_high.profile @@ -1,11 +1,15 @@ - documentation_complete: false + documentation_complete: true -title: 'ANSSI BP-028 (high)' +title: 'DRAFT - ANSSI BP-028 (high)' @@ -376,7 +376,7 @@ index 2853f20607..d9147b2dd0 100644 --- a/rhel8/profiles/anssi_bp28_high.profile +++ b/rhel8/profiles/anssi_bp28_high.profile @@ -1,14 +1,14 @@ - documentation_complete: false + documentation_complete: true -title: 'DRAFT - ANSSI BP-028 (high)' +title: 'DRAFT - ANSSI-BP-028 (high)' @@ -526,7 +526,7 @@ diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_ index d9147b2dd0..e4db830291 100644 --- a/rhel8/profiles/anssi_bp28_high.profile +++ b/rhel8/profiles/anssi_bp28_high.profile -@@ -3,7 +3,7 @@ documentation_complete: false +@@ -3,7 +3,7 @@ documentation_complete: true title: 'DRAFT - ANSSI-BP-028 (high)' description: |- diff --git a/SOURCES/scap-security-guide-0.1.56-add_remediations_sudo_validate_passwd-PR_6963.patch b/SOURCES/scap-security-guide-0.1.56-add_remediations_sudo_validate_passwd-PR_6963.patch new file mode 100644 index 0000000..6bd2760 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.56-add_remediations_sudo_validate_passwd-PR_6963.patch @@ -0,0 +1,58 @@ +From 8ba2b2d48b328a762c582e83b8f612a66fda9210 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 6 May 2021 13:51:31 +0200 +Subject: [PATCH 1/2] add remediations + +--- + .../sudo/sudoers_validate_passwd/ansible/shared.yml | 9 +++++++++ + .../software/sudo/sudoers_validate_passwd/bash/shared.sh | 5 +++++ + 2 files changed, 14 insertions(+) + create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml + create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh + +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml +new file mode 100644 +index 0000000000..8fd362d63f +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml +@@ -0,0 +1,9 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}} ++{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}} ++{{{ ansible_lineinfile(msg='Ensure that is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}} +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh +new file mode 100644 +index 0000000000..ea0ac67fa1 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh +@@ -0,0 +1,5 @@ ++# platform = multi_platform_all ++ ++{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}} ++{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}} ++{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}} + +From 6c84b729ecad076e77fc845ce7252aa6582dc315 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 6 May 2021 15:48:54 +0200 +Subject: [PATCH 2/2] fix ansible message + +--- + .../software/sudo/sudoers_validate_passwd/ansible/shared.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml +index 8fd362d63f..08ffd76aed 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml +@@ -6,4 +6,4 @@ + + {{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}} + {{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}} +-{{{ ansible_lineinfile(msg='Ensure that is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}} ++{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}} diff --git a/SOURCES/scap-security-guide-0.1.56-add_rhel7_stig_kickstarts-PR_7026.patch b/SOURCES/scap-security-guide-0.1.56-add_rhel7_stig_kickstarts-PR_7026.patch new file mode 100644 index 0000000..b8eabdb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.56-add_rhel7_stig_kickstarts-PR_7026.patch @@ -0,0 +1,281 @@ +From 8b7da9c093c80844ccbf7f5031a91bd1669ed4f0 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 20 May 2021 13:16:07 +0200 +Subject: [PATCH] Add kickstart files for RHEL7 STIG and STIG with GUI. + +--- + rhel7/kickstart/ssg-rhel7-stig-ks.cfg | 129 ++++++++++++++++++++++ + rhel7/kickstart/ssg-rhel7-stig_gui-ks.cfg | 128 +++++++++++++++++++++ + 2 files changed, 257 insertions(+) + create mode 100644 rhel7/kickstart/ssg-rhel7-stig-ks.cfg + create mode 100644 rhel7/kickstart/ssg-rhel7-stig_gui-ks.cfg + +diff --git a/rhel7/kickstart/ssg-rhel7-stig-ks.cfg b/rhel7/kickstart/ssg-rhel7-stig-ks.cfg +new file mode 100644 +index 00000000000..68b777c8337 +--- /dev/null ++++ b/rhel7/kickstart/ssg-rhel7-stig-ks.cfg +@@ -0,0 +1,129 @@ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow ++# CCE-26557-9: Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# CCE-26435-8: Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# CCE-26639-5: Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev" ++# CCE-26215-4: Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev" ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++# The full id of DISA STIG profile is used because otherwise there would be ++# a conflict with rhelh-stig. ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_stig ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/rhel7/kickstart/ssg-rhel7-stig_gui-ks.cfg b/rhel7/kickstart/ssg-rhel7-stig_gui-ks.cfg +new file mode 100644 +index 00000000000..55f74479fda +--- /dev/null ++++ b/rhel7/kickstart/ssg-rhel7-stig_gui-ks.cfg +@@ -0,0 +1,128 @@ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow ++# CCE-26557-9: Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# CCE-26435-8: Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# CCE-26639-5: Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev" ++# CCE-26215-4: Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev" ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_stig_gui ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++# Graphical User Interface package group ++@^graphical-server-environment ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.56-add_rules_for_selinux_packages_removed-PR_6969.patch b/SOURCES/scap-security-guide-0.1.56-add_rules_for_selinux_packages_removed-PR_6969.patch new file mode 100644 index 0000000..b6fd341 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.56-add_rules_for_selinux_packages_removed-PR_6969.patch @@ -0,0 +1,104 @@ +From 0c9c768e111f71e141a599053d2d6c4d3e56d5a1 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 6 May 2021 19:43:25 +0200 +Subject: [PATCH] Add rules to remove setroubleshoot packages + +Added rules to remove setroubleshoot-plugins and server. +--- + controls/anssi.yml | 2 ++ + .../rule.yml | 32 ++++++++++++++++++ + .../rule.yml | 33 +++++++++++++++++++ + 4 files changed, 67 insertions(+), 8 deletions(-) + create mode 100644 linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml + create mode 100644 linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index 705f8e25aab..603f224ffaa 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -983,6 +983,8 @@ controls: + on a machine in production. + rules: + - package_setroubleshoot_removed ++ - package_setroubleshoot-server_removed ++ - package_setroubleshoot-plugins_removed + + - id: R69 + level: high +diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml +new file mode 100644 +index 00000000000..d20c1116dc0 +--- /dev/null ++++ b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml +@@ -0,0 +1,32 @@ ++documentation_complete: true ++ ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9 ++ ++title: 'Uninstall setroubleshoot-plugins Package' ++ ++description: |- ++ The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, ++ unauthorized intrusions, and other potential errors. ++ {{{ describe_package_remove(package="setroubleshoot-plugins") }}} ++ ++rationale: |- ++ The SETroubleshoot service is an unnecessary daemon to ++ have running on a server. ++ ++severity: low ++ ++identifiers: ++ cce@rhcos4: CCE-84091-8 ++ cce@rhel7: CCE-84249-2 ++ cce@rhel8: CCE-84250-0 ++ cce@rhel9: CCE-84251-8 ++ ++references: ++ anssi: BP28(R68) ++ ++{{{ complete_ocil_entry_package(package="setroubleshoot-plugins") }}} ++ ++template: ++ name: package_removed ++ vars: ++ pkgname: setroubleshoot-plugins +diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml +new file mode 100644 +index 00000000000..c5fec06ddc5 +--- /dev/null ++++ b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9 ++ ++title: 'Uninstall setroubleshoot-server Package' ++ ++description: |- ++ The SETroubleshoot service notifies desktop users of SELinux ++ denials. The service provides information around configuration errors, ++ unauthorized intrusions, and other potential errors. ++ {{{ describe_package_remove(package="setroubleshoot-server") }}} ++ ++rationale: |- ++ The SETroubleshoot service is an unnecessary daemon to have ++ running on a server. ++ ++severity: low ++ ++identifiers: ++ cce@rhcos4: CCE-84093-4 ++ cce@rhel7: CCE-83488-7 ++ cce@rhel8: CCE-83490-3 ++ cce@rhel9: CCE-84252-6 ++ ++references: ++ anssi: BP28(R68) ++ ++{{{ complete_ocil_entry_package(package="setroubleshoot-server") }}} ++ ++template: ++ name: package_removed ++ vars: ++ pkgname: setroubleshoot-server diff --git a/SOURCES/scap-security-guide-0.1.56-add_stig_gui_profile-PR_6863.patch b/SOURCES/scap-security-guide-0.1.56-add_stig_gui_profile-PR_6863.patch new file mode 100644 index 0000000..2a2f51e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.56-add_stig_gui_profile-PR_6863.patch @@ -0,0 +1,97 @@ +From e768a31f2d30b0af9f36ceca8c674ed084b7c93e Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Mon, 19 Apr 2021 13:07:04 -0400 +Subject: [PATCH 1/3] Creating new RHEL 7 STIG GUI profile + +--- + rhel7/profiles/stig_gui.profile | 35 +++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + create mode 100644 rhel7/profiles/stig_gui.profile + +diff --git a/rhel7/profiles/stig_gui.profile b/rhel7/profiles/stig_gui.profile +new file mode 100644 +index 00000000000..5f64363d64b +--- /dev/null ++++ b/rhel7/profiles/stig_gui.profile +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++metadata: ++ version: V3R1 ++ SMEs: ++ - carlosmmatos ++ ++reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux ++ ++title: 'DISA STIG with GUI for Red Hat Enterprise Linux 7' ++ ++description: |- ++ This profile contains configuration checks that align to the ++ DISA STIG with GUI for Red Hat Enterprise Linux V3R2. ++ ++ In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this ++ configuration baseline as applicable to the operating system tier of ++ Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as: ++ ++ - Red Hat Enterprise Linux Server ++ - Red Hat Enterprise Linux Workstation and Desktop ++ - Red Hat Enterprise Linux for HPC ++ - Red Hat Storage ++ - Red Hat Containers with a Red Hat Enterprise Linux 7 image ++ ++ Warning: The installation and use of a Graphical User Interface (GUI) ++ increases your attack vector and decreases your overall security posture. If ++ your Information Systems Security Officer (ISSO) lacks a documented operational ++ requirement for a graphical user interface, please consider using the ++ standard DISA STIG for Red Hat Enterprise Linux 7 profile. ++ ++extends: stig ++ ++selections: ++ - '!xwindows_remove_packages' + +From 04a2f7553cb95b34c1af28c93fabe945aa5fa0de Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Tue, 20 Apr 2021 08:26:31 -0400 +Subject: [PATCH 2/3] Updated metadata version to V3R2 + +--- + rhel7/profiles/stig.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index 1ea19bc4d8a..192a0874d19 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V3R1 ++ version: V3R2 + SMEs: + - carlosmmatos + + +From 28938e0655c4a3adac767f278317bb83dca162b0 Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Wed, 21 Apr 2021 11:00:03 -0400 +Subject: [PATCH 3/3] Updated metadata version to V3R2 on stig_gui profile + +--- + rhel7/profiles/stig_gui.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel7/profiles/stig_gui.profile b/rhel7/profiles/stig_gui.profile +index 5f64363d64b..c15ea10fdae 100644 +--- a/rhel7/profiles/stig_gui.profile ++++ b/rhel7/profiles/stig_gui.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V3R1 ++ version: V3R2 + SMEs: + - carlosmmatos + diff --git a/SOURCES/scap-security-guide-0.1.56-add_sudo_restrict_privileges-PR_6734.patch b/SOURCES/scap-security-guide-0.1.56-add_sudo_restrict_privileges-PR_6734.patch new file mode 100644 index 0000000..d024afe --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.56-add_sudo_restrict_privileges-PR_6734.patch @@ -0,0 +1,274 @@ +From ddd0683975f94be4eff811b89864e40521f11b02 Mon Sep 17 00:00:00 2001 +From: sampsone +Date: Wed, 17 Mar 2021 15:46:16 -0500 +Subject: [PATCH 1/5] SLES-15-020101 add rule and tests, no remediation. + +--- + .../oval/shared.xml | 35 +++++++++++++++++ + .../rule.yml | 38 +++++++++++++++++++ + .../tests/simple.fail.sh | 5 +++ + .../tests/simple.pass.sh | 5 +++ + .../tests/sudoers_d.fail.sh | 5 +++ + 6 files changed, 89 insertions(+) + create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml + create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml + create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh + create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh + create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml +new file mode 100644 +index 00000000000..f6a6b2fbb73 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml +@@ -0,0 +1,35 @@ ++ ++ ++ {{{ oval_metadata("Check that sudoers doesn't allow all users to run commands via sudo") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/sudoers(\.d/.*)?$ ++ ^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/sudoers(\.d/.*)?$ ++ ^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s* ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +new file mode 100644 +index 00000000000..523dd62d91e +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +@@ -0,0 +1,38 @@ ++documentation_complete: true ++ ++title: 'The operating system must restrict privilege elevation to authorized personnel' ++ ++prodtype: sle15 ++ ++description: |- ++ The sudo command allows a user to execute programs with elevated ++ (administrator) privileges. It prompts the user for their password ++ and confirms your request to execute a command by checking a file, ++ called sudoers. ++ ++rationale: |- ++ If the "sudoers" file is not configured correctly, any user defined ++ on the system can initiate privileged actions on the target system. ++ ++severity: medium ++ ++identifiers: ++ CCE-85712-8 ++ ++references: ++ nist: CM-6(b),CM-6(iv) ++ disa@sle15: CCI-000366 ++ stig@sle15: SLES-15-020101 ++ ++ocil_clause: 'Verify the "sudoers" file restricts sudo access to authorized personnel.' ++ ++ocil: |- ++ To determine if "sudoers" file, restricts sudo access, run the following commands: ++
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
++
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
++ Both commands should return no output. ++ ++platform: sudo ++ ++warnings: ++ - general: This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable. +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh +new file mode 100644 +index 00000000000..bc1f7aaf5a5 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh +@@ -0,0 +1,5 @@ ++# platform = SUSE Linux Enterprise 15 ++# packages = sudo ++ ++echo 'ALL ALL=(ALL) ALL' > /etc/sudoers ++echo 'ALL ALL=(ALL:ALL) ALL' > /etc/sudoers.d/foo +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh +new file mode 100644 +index 00000000000..9d38ecc7f92 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh +@@ -0,0 +1,5 @@ ++# platform = SUSE Linux Enterprise 15 ++# packages = sudo ++ ++echo 'user ALL=(admin) ALL' > /etc/sudoers ++echo 'user ALL=(admin:admin) ALL' > /etc/sudoers.d/foo +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh +new file mode 100644 +index 00000000000..f5f156829b8 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh +@@ -0,0 +1,5 @@ ++# platform = SUSE Linux Enterprise 15 ++# packages = sudo ++# remediation = none ++ ++echo 'ALL ALL=(ALL:ALL) ALL' > /etc/sudoers.d/foo + +From 53096e65642f535184d4e566c4a04778d4efc3d2 Mon Sep 17 00:00:00 2001 +From: Earl Sampson +Date: Tue, 23 Mar 2021 08:33:03 -0500 +Subject: [PATCH 2/5] Update + linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml + +Co-authored-by: Gabriel Becker +--- + .../sudo_restrict_privilege_elevation_to_authorized/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +index 523dd62d91e..0e8ebcba9b6 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +@@ -17,7 +17,7 @@ rationale: |- + severity: medium + + identifiers: +- CCE-85712-8 ++ cce@sle15: CCE-85712-8 + + references: + nist: CM-6(b),CM-6(iv) + +From 1e6fe4161834d10c6423b177973e25cbc29b2049 Mon Sep 17 00:00:00 2001 +From: Earl Sampson +Date: Tue, 23 Mar 2021 13:24:23 -0500 +Subject: [PATCH 3/5] make warning multiline + +--- +.../sudo_restrict_privilege_elevation_to_authorized/rule.yml | 4 +++ - + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +index 0e8ebcba9b6..ba79902bc22 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +@@ -35,4 +35,6 @@ ocil: |- + platform: sudo + + warnings: +- - general: This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable. ++- general: |- ++ This rule doesn't come with a remediation, as the exact requirement allows exceptions, ++ and removing lines from the sudoers file can make the system non-administrable. + +From 7948d5b5fbc9fe7d9d0194dc162feef6996d62c5 Mon Sep 17 00:00:00 2001 +From: sampsone +Date: Wed, 24 Mar 2021 10:03:22 -0500 +Subject: [PATCH 4/5] Macro-ize sudoers check + +--- + .../oval/shared.xml | 40 ++++++++----------- + 1 file changed, 16 insertions(+), 24 deletions(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml +index f6a6b2fbb73..c7790c4da2f 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml +@@ -1,35 +1,27 @@ + +- +- {{{ oval_metadata("Check that sudoers doesn't allow all users to run commands via sudo") }}} +- +- +- +- +- +- ++ {{% macro check_sudoers(scope, pattern) %}} + +- ++ id="test_not_all_users_can_sudo_to_{{{ scope }}}" version="1"> ++ + + +- ++ + ^/etc/sudoers(\.d/.*)?$ +- ^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$ ++ {{{ pattern }}} + 1 + ++ {{% endmacro %}} ++ ++ ++ {{{ oval_metadata("Check that sudoers doesn't allow all users to run commands via sudo") }}} ++ ++ ++ ++ ++ + +- +- +- +- +- +- +- ^/etc/sudoers(\.d/.*)?$ +- ^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s* +- 1 +- ++ {{{ check_sudoers(scope='users',pattern='^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$') }}} ++ {{{ check_sudoers(scope='group',pattern='^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*') }}} + + + +From 875413af52022a4aedfc97be5bc39b1af25041ca Mon Sep 17 00:00:00 2001 +From: Earl Sampson +Date: Fri, 26 Mar 2021 10:28:26 -0500 +Subject: [PATCH 5/5] Update + linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml + +Co-authored-by: Gabriel Becker +--- + .../sudo_restrict_privilege_elevation_to_authorized/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +index ba79902bc22..8449bcade65 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +@@ -24,7 +24,7 @@ references: + disa@sle15: CCI-000366 + stig@sle15: SLES-15-020101 + +-ocil_clause: 'Verify the "sudoers" file restricts sudo access to authorized personnel.' ++ocil_clause: '/etc/sudoers file does not restrict sudo access to authorized personnel' + + ocil: |- + To determine if "sudoers" file, restricts sudo access, run the following commands: diff --git a/SOURCES/scap-security-guide-0.1.56-add_sudo_restrict_privileges_to_stig-PR_6866.patch b/SOURCES/scap-security-guide-0.1.56-add_sudo_restrict_privileges_to_stig-PR_6866.patch new file mode 100644 index 0000000..2421b2d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.56-add_sudo_restrict_privileges_to_stig-PR_6866.patch @@ -0,0 +1,221 @@ +From 80cee70a289588a9dc7c8f9431f073c4ce54c5f7 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 20 Apr 2021 11:32:54 +0200 +Subject: [PATCH 01/10] add rhel7 stig references and update description + +--- + linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml | 9 ++++++++- + shared/references/cce-redhat-avail.txt | 1 - + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +index db1d4fc79cb..d13d24dc229 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +@@ -2,13 +2,16 @@ documentation_complete: true + + title: 'The operating system must restrict privilege elevation to authorized personnel' + +-prodtype: sle15 ++prodtype: ol7,rhel7,sle15 + + description: |- + The sudo command allows a user to execute programs with elevated + (administrator) privileges. It prompts the user for their password + and confirms your request to execute a command by checking a file, + called sudoers. ++ Restrict privileged actions by removing the following entries from the sudoers file: ++ ALL ALL=(ALL) ALL ++ ALL ALL=(ALL:ALL) ALL + + rationale: |- + If the "sudoers" file is not configured correctly, any user defined +@@ -18,11 +21,15 @@ severity: medium + + identifiers: + cce@sle15: CCE-85712-8 ++ cce@rhel7: CCE-83423-4 + + references: + nist: CM-6(b),CM-6(iv) + disa@sle15: CCI-000366 + stig@sle15: SLES-15-020101 ++ disa@rhel7: CCI-000366 ++ stigid@rhel7: RHEL-07-010341 ++ srg: SRG-OS-000480-GPOS-00227 + + ocil_clause: '/etc/sudoers file does not restrict sudo access to authorized personnel' + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 7ad068fc611..257b07d1f0b 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -7,7 +7,6 @@ + CCE-83407-7 + CCE-83421-8 + CCE-83422-6 +-CCE-83423-4 + CCE-83425-9 + CCE-83426-7 + CCE-83428-3 + +From 277abe35785e38337d8c17d46b8ca0372eac2f6d Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 20 Apr 2021 11:36:33 +0200 +Subject: [PATCH 02/10] fix sle15 reference + +--- + linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +index d13d24dc229..73812cccd83 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +@@ -26,7 +26,7 @@ identifiers: + references: + nist: CM-6(b),CM-6(iv) + disa@sle15: CCI-000366 +- stig@sle15: SLES-15-020101 ++ stigid@sle15: SLES-15-020101 + disa@rhel7: CCI-000366 + stigid@rhel7: RHEL-07-010341 + srg: SRG-OS-000480-GPOS-00227 + +From d3c3c0eea1d8eac57fc517ec9209854f2ae23353 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 20 Apr 2021 11:36:56 +0200 +Subject: [PATCH 03/10] add rule to the profile + +--- + rhel7/profiles/stig.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index fc4dbb12e11..b0def70fd01 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -104,6 +104,7 @@ selections: + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - sudo_remove_nopasswd ++ - sudo_restrict_privilege_elevation_to_authorized + - sudo_remove_no_authenticate + - accounts_logon_fail_delay + - gnome_gdm_disable_automatic_login + +From a22162a02358b15d840fba8a57eb5b3006ed67e4 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 20 Apr 2021 11:49:46 +0200 +Subject: [PATCH 04/10] update test applicability + +--- + linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh | 1 + + linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh | 2 +- + linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh | 2 +- + 3 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh +index bc1f7aaf5a5..74aa21c68c8 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh +@@ -1,3 +1,4 @@ ++#!/bin/bash + # platform = SUSE Linux Enterprise 15 + # packages = sudo + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh +index 9d38ecc7f92..50f6eb51dee 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh +@@ -1,4 +1,4 @@ +-# platform = SUSE Linux Enterprise 15 ++#!/bin/bash + # packages = sudo + + echo 'user ALL=(admin) ALL' > /etc/sudoers +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh +index f5f156829b8..4471436cada 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh +@@ -1,4 +1,4 @@ +-# platform = SUSE Linux Enterprise 15 ++#!/bin/bash + # packages = sudo + # remediation = none + + +From 32de49c5dafdd1e8c1bb6e70b99b72ae10574060 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 20 Apr 2021 11:57:00 +0200 +Subject: [PATCH 05/10] update rule also for rhel8 + +--- + linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml | 6 +++++- + shared/references/cce-redhat-avail.txt | 1 - + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +index 73812cccd83..aea61df80d2 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + title: 'The operating system must restrict privilege elevation to authorized personnel' + +-prodtype: ol7,rhel7,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,sle15 + + description: |- + The sudo command allows a user to execute programs with elevated +@@ -22,6 +22,8 @@ severity: medium + identifiers: + cce@sle15: CCE-85712-8 + cce@rhel7: CCE-83423-4 ++ cce@rhel8: CCE-83425-9 ++ + + references: + nist: CM-6(b),CM-6(iv) +@@ -30,6 +32,8 @@ references: + disa@rhel7: CCI-000366 + stigid@rhel7: RHEL-07-010341 + srg: SRG-OS-000480-GPOS-00227 ++ disa@rhel8: CCI-000366 ++ stigid@rhel8: RHEL-08-010382 + + ocil_clause: '/etc/sudoers file does not restrict sudo access to authorized personnel' + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 257b07d1f0b..ec8e90215f4 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -6,7 +6,6 @@ + CCE-83407-7 + CCE-83421-8 + CCE-83422-6 +-CCE-83425-9 + CCE-83426-7 + CCE-83428-3 + CCE-83429-1 + +From 8505b5e209281f13c00581904ccc6410c76b3333 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 20 Apr 2021 12:13:01 +0200 +Subject: [PATCH 07/10] update one more test applicability + +--- + linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh +index 74aa21c68c8..8547be4d6f6 100644 +--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh ++++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh +@@ -1,5 +1,4 @@ + #!/bin/bash +-# platform = SUSE Linux Enterprise 15 + # packages = sudo + + echo 'ALL ALL=(ALL) ALL' > /etc/sudoers + diff --git a/SOURCES/scap-security-guide-0.1.56-add_sudo_validate_passwd_into_stig-PR_6897.patch b/SOURCES/scap-security-guide-0.1.56-add_sudo_validate_passwd_into_stig-PR_6897.patch new file mode 100644 index 0000000..1f5a068 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.56-add_sudo_validate_passwd_into_stig-PR_6897.patch @@ -0,0 +1,133 @@ +From ec8ab4395f055af03b6147d40f86af4fb994ad62 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 26 Apr 2021 15:57:51 +0200 +Subject: [PATCH 1/2] make rule and tests applicable to more products + +add stigids for rhel7 and rhel8 +--- + .../system/software/sudo/sudoers_validate_passwd/rule.yml | 6 +++++- + .../tests/sudoers_validate_passwd.fail.sh | 2 +- + .../tests/sudoers_validate_passwd.pass.sh | 2 +- + .../tests/sudoers_validate_rootpw.fail.sh | 2 +- + .../tests/sudoers_validate_runaspw.fail.sh | 2 +- + .../tests/sudoers_validate_targetpw.fail.sh | 2 +- + shared/references/cce-redhat-avail.txt | 2 -- + 7 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +index d0a90a3723a..8052e23c857 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + title: 'Ensure invoking users password for privilege escalation when using sudo' + +-prodtype: sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15 + + description: |- + The sudoers security policy requires that users authenticate themselves before they can use sudo. +@@ -20,6 +20,8 @@ rationale: |- + the invoking user for the "root" user password. + + identifiers: ++ cce@rhel7: CCE-83421-8 ++ cce@rhel8: CCE-83422-6 + cce@sle15: CCE-85747-4 + + references: +@@ -27,6 +29,8 @@ references: + nist@sle15: CM-6(b),CM-6.1(iv) + srg: SRG-OS-000480-GPOS-00227 + stigid@sle15: SLES-15-020103 ++ stigid@rhel7: RHEL-07-010342 ++ stigid@rhel8: RHEL-08-010383 + + ocil_clause: 'invoke user passwd when using sudo' + +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh +index d8b33a0ac52..9706b8bd19d 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh +@@ -1,4 +1,4 @@ +-# platform = SUSE Linux Enterprise 15 ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 + # packages = sudo + + if [ $(sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ] +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh +index f2461085f99..093f9dd80bf 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh +@@ -1,4 +1,4 @@ +-# platform = SUSE Linux Enterprise 15 ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 + # packages = sudo + + echo 'Defaults !targetpw' >> /etc/sudoers +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh +index 9a8f51450cd..b12d1f886aa 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh +@@ -1,4 +1,4 @@ +-# platform = SUSE Linux Enterprise 15 ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 + # packages = sudo + + if [ $(sudo egrep -i '(!rootpw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ] +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh +index a455aa14968..93b3dfebfc8 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh +@@ -1,4 +1,4 @@ +-# platform = SUSE Linux Enterprise 15 ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 + # packages = sudo + + if [ $(sudo egrep -i '(!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ] +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh +index 1b18a8f3dc5..103cb466506 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh +@@ -1,4 +1,4 @@ +-# platform = SUSE Linux Enterprise 15 ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 + # packages = sudo + + if [ $(sudo egrep -i '(!targetpw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ] +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 7c7730c1678..7ad068fc611 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -5,8 +5,6 @@ + CCE-83405-1 + CCE-83406-9 + CCE-83407-7 +-CCE-83421-8 +-CCE-83422-6 + CCE-83426-7 + CCE-83428-3 + CCE-83429-1 + +From a1a982c6035564b6f151359a771d2c01131b0a6e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 26 Apr 2021 16:12:18 +0200 +Subject: [PATCH 2/2] add rule to rhel7 and rhel8 stig profiles + +--- + rhel7/profiles/stig.profile | 1 + + 4 files changed, 6 insertions(+) + +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index 192a0874d19..fc4dbb12e11 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -106,6 +106,7 @@ selections: + - sudo_remove_nopasswd + - sudo_restrict_privilege_elevation_to_authorized + - sudo_remove_no_authenticate ++ - sudoers_validate_passwd + - accounts_logon_fail_delay + - gnome_gdm_disable_automatic_login + - gnome_gdm_disable_guest_login + diff --git a/SOURCES/scap-security-guide-0.1.56-anaconda_remediation_remove_xwindows_package-PR_6873.patch b/SOURCES/scap-security-guide-0.1.56-anaconda_remediation_remove_xwindows_package-PR_6873.patch new file mode 100644 index 0000000..2a126ff --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.56-anaconda_remediation_remove_xwindows_package-PR_6873.patch @@ -0,0 +1,19 @@ +From 1b5bef87436d6e1c9e5fc5a63d763286f20f9116 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 21 Apr 2021 18:33:45 +0200 +Subject: [PATCH] Add anaconda remediation for xwindows_remove_packages. + +--- + .../xwindows_remove_packages/anaconda/shared.anaconda | 3 +++ + 1 file changed, 3 insertions(+) + create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/anaconda/shared.anaconda + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/anaconda/shared.anaconda b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/anaconda/shared.anaconda +new file mode 100644 +index 00000000000..d7b3f116804 +--- /dev/null ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/anaconda/shared.anaconda +@@ -0,0 +1,3 @@ ++# platform = multi_platform_all ++ ++package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils {{{ "--remove=xorg-x11-server-Xwayland" if product not in ["rhel7", "ol7"] }}} diff --git a/SOURCES/scap-security-guide-0.1.56-bump_version_to_v3r3-PR_6951.patch b/SOURCES/scap-security-guide-0.1.56-bump_version_to_v3r3-PR_6951.patch new file mode 100644 index 0000000..c0de019 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.56-bump_version_to_v3r3-PR_6951.patch @@ -0,0 +1,1496 @@ +From bd615cb106ec2d584f104044b5448ca91e9dfe1b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 5 May 2021 16:18:07 +0200 +Subject: [PATCH 1/2] bump rhel7 stig version to v3r3 + +--- + rhel7/profiles/stig.profile | 4 ++-- + rhel7/profiles/stig_gui.profile | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index 15ccec7ce09..336bf98e7f7 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V3R2 ++ version: V3R3 + SMEs: + - carlosmmatos + +@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG for Red Hat Enterprise Linux V3R2. ++ DISA STIG for Red Hat Enterprise Linux V3R3. + + In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/rhel7/profiles/stig_gui.profile b/rhel7/profiles/stig_gui.profile +index c15ea10fdae..d41d2ef4f80 100644 +--- a/rhel7/profiles/stig_gui.profile ++++ b/rhel7/profiles/stig_gui.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V3R2 ++ version: V3R3 + SMEs: + - carlosmmatos + +@@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 7' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG with GUI for Red Hat Enterprise Linux V3R2. ++ DISA STIG with GUI for Red Hat Enterprise Linux V3R3. + + In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this + configuration baseline as applicable to the operating system tier of + +From 6fd42b7545d9222d6bf68be59fab6bdfc916df25 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 6 May 2021 11:26:36 +0200 +Subject: [PATCH 2/2] update stig manual and overlay + +--- + rhel7/overlays/stig_overlay.xml | 40 ++- + ... => disa-stig-rhel7-v3r3-xccdf-manual.xml} | 337 ++++++++++-------- + 2 files changed, 212 insertions(+), 165 deletions(-) + rename shared/references/{disa-stig-rhel7-v3r2-xccdf-manual.xml => disa-stig-rhel7-v3r3-xccdf-manual.xml} (88%) + +diff --git a/rhel7/overlays/stig_overlay.xml b/rhel7/overlays/stig_overlay.xml +index cd50f655bc0..2bf837c8b3b 100644 +--- a/rhel7/overlays/stig_overlay.xml ++++ b/rhel7/overlays/stig_overlay.xml +@@ -1,7 +1,7 @@ + + + +- ++ + + </overlay> + <overlay owner="disastig" ruleid="rpm_verify_hashes" ownerid="RHEL-07-010020" disa="1749" severity="high"> +@@ -56,7 +56,7 @@ + <VMSinfo VKey="204404" SVKey="204404r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated."/> + </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-07-010118" disa="192" severity="medium"> ++ <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-07-010118" disa="192" severity="medium"> + <VMSinfo VKey="204405" SVKey="204405r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords."/> + </overlay> +@@ -156,6 +156,18 @@ + <VMSinfo VKey="204429" SVKey="204429r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation."/> + </overlay> ++ <overlay owner="disastig" ruleid="sudo_restrict_privilege_elevation_to_authorized" ownerid="RHEL-07-010341" disa="366" severity="medium"> ++ <VMSinfo VKey="237633" SVKey="237633r6468" VRelease="r646850"/> ++ <title text="The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel."/> ++ </overlay> ++ <overlay owner="disastig" ruleid="sudoers_validate_passwd" ownerid="RHEL-07-010342" disa="2227" severity="medium"> ++ <VMSinfo VKey="237634" SVKey="237634r6468" VRelease="r646853"/> ++ <title text="The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo"."/> ++ </overlay> ++ <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-07-010343" disa="2038" severity="medium"> ++ <VMSinfo VKey="237635" SVKey="237635r6468" VRelease="r646856"/> ++ <title text="The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command."/> ++ </overlay> + <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="RHEL-07-010350" disa="2038" severity="medium"> + <VMSinfo VKey="204430" SVKey="204430r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation."/> +@@ -284,7 +296,7 @@ + <VMSinfo VKey="204459" SVKey="204459r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date."/> + </overlay> +- <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-07-020270" disa="366" severity="medium"> ++ <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="RHEL-07-020270" disa="366" severity="medium"> + <VMSinfo VKey="204460" SVKey="204460r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must not have unnecessary accounts."/> + </overlay> +@@ -456,15 +468,15 @@ + <VMSinfo VKey="204504" SVKey="204504r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."/> + </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030201" disa="1851" severity="medium"> ++ <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-030201" disa="1851" severity="medium"> + <VMSinfo VKey="204506" SVKey="204506r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited."/> + </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030210" disa="1851" severity="medium"> ++ <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-030210" disa="1851" severity="medium"> + <VMSinfo VKey="204507" SVKey="204507r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full."/> + </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030211" disa="1851" severity="medium"> ++ <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-030211" disa="1851" severity="medium"> + <VMSinfo VKey="204508" SVKey="204508r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server."/> + </overlay> +@@ -488,7 +500,7 @@ + <VMSinfo VKey="204513" SVKey="204513r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity."/> + </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_space_left_action" ownerid="RHEL-07-030340" disa="1855" severity="medium"> ++ <overlay owner="disastig" ruleid="auditd_data_retention_admin_space_left_action" ownerid="RHEL-07-030340" disa="1855" severity="medium"> + <VMSinfo VKey="204514" SVKey="204514r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached."/> + </overlay> +@@ -668,7 +680,7 @@ + <VMSinfo VKey="204558" SVKey="204558r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command."/> + </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="RHEL-07-030819" disa="172" severity="medium"> ++ <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030819" disa="172" severity="medium"> + <VMSinfo VKey="204559" SVKey="204559r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall."/> + </overlay> +@@ -684,7 +696,7 @@ + <VMSinfo VKey="204562" SVKey="204562r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall."/> + </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="RHEL-07-030840" disa="172" severity="medium"> ++ <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030840" disa="172" severity="medium"> + <VMSinfo VKey="204563" SVKey="204563r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the kmod command."/> + </overlay> +@@ -753,7 +765,7 @@ + <title text="The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_tmout" ownerid="RHEL-07-040160" disa="2361" severity="medium"> +- <VMSinfo VKey="204579" SVKey="204579r6032" VRelease="r603261"/> ++ <VMSinfo VKey="204579" SVKey="204579r6468" VRelease="r646844"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="RHEL-07-040170" disa="50" severity="medium"> +@@ -792,7 +804,7 @@ + <VMSinfo VKey="204588" SVKey="204588r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication."/> + </overlay> +- <overlay owner="disastig" ruleid="sshd_set_keepalive" ownerid="RHEL-07-040340" disa="2361" severity="medium"> ++ <overlay owner="disastig" ruleid="sshd_set_keepalive_0" ownerid="RHEL-07-040340" disa="2361" severity="medium"> + <VMSinfo VKey="204589" SVKey="204589r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity."/> + </overlay> +@@ -928,7 +940,7 @@ + <VMSinfo VKey="204622" SVKey="204622r6038" VRelease="r603849"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements."/> + </overlay> +- <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-07-040711" disa="366" severity="medium"> ++ <overlay owner="disastig" ruleid="sshd_x11_use_localhost" ownerid="RHEL-07-040711" disa="366" severity="medium"> + <VMSinfo VKey="233307" SVKey="233307r6033" VRelease="r603301"/> + <title text="The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display."/> + </overlay> +@@ -936,8 +948,8 @@ + <VMSinfo VKey="204623" SVKey="204623r6032" VRelease="r603261"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode."/> + </overlay> +- <overlay owner="disastig" ruleid="package_xorg-x11-server-common_removed" ownerid="RHEL-07-040730" disa="366" severity="medium"> +- <VMSinfo VKey="204624" SVKey="204624r6032" VRelease="r603261"/> ++ <overlay owner="disastig" ruleid="xwindows_remove_packages" ownerid="RHEL-07-040730" disa="366" severity="medium"> ++ <VMSinfo VKey="204624" SVKey="204624r6468" VRelease="r646847"/> + <title text="The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="RHEL-07-040740" disa="366" severity="medium"> +diff --git a/shared/references/disa-stig-rhel7-v3r2-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r3-xccdf-manual.xml +similarity index 88% +rename from shared/references/disa-stig-rhel7-v3r2-xccdf-manual.xml +rename to shared/references/disa-stig-rhel7-v3r3-xccdf-manual.xml +index 6c807d755d4..f0e75ac1da9 100644 +--- a/shared/references/disa-stig-rhel7-v3r2-xccdf-manual.xml ++++ b/shared/references/disa-stig-rhel7-v3r3-xccdf-manual.xml +@@ -1,21 +1,21 @@ +-<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_7_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2020-12-08">accepted</status><title>Red Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 22 Jan 20213.2.1.416661.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. ++acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 23 Apr 20213.2.2.360791.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>