From e3b0486f8f57940693b114708b09181a28621550 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 18 2022 12:15:08 +0000 Subject: import scap-security-guide-0.1.57-8.el7_9 --- diff --git a/SOURCES/scap-security-guide-0.1.59-add-jinja-support-to-antivirus-rule-PR_7656.patch b/SOURCES/scap-security-guide-0.1.59-add-jinja-support-to-antivirus-rule-PR_7656.patch new file mode 100644 index 0000000..0eb802b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.59-add-jinja-support-to-antivirus-rule-PR_7656.patch @@ -0,0 +1,84 @@ +From a76930c35acc3eea8e8c76f048db99034962d4e2 Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Mon, 27 Sep 2021 13:35:09 +0200 +Subject: [PATCH 1/2] Make package_mcafeetp_installed work on Ubuntu + +--- + .../package_mcafeetp_installed/rule.yml | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +index 095b6ab02d5..6159a69ed74 100644 +--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +@@ -1,6 +1,12 @@ ++{{% if 'ubuntu' in product %}} ++{{% set pkg='mfetp' %}} ++{{% else %}} ++{{% set pkg='mcafeetp' %}} ++{{% endif %}} ++ + documentation_complete: true + +-prodtype: rhel7,rhel8 ++prodtype: ol7,ol8,rhel7,rhel8,ubuntu2004 + + title: 'Install McAfee Endpoint Security for Linux (ENSL)' + +@@ -9,7 +15,7 @@ description: |- + which is provided for DoD systems and uses signatures to search for the + presence of viruses on the filesystem. + +- {{{ describe_package_install(package="mcafeetp") }}} ++ {{{ describe_package_install(package=pkg) }}} + + rationale: |- + Virus scanning software can be used to detect if a system has been compromised by +@@ -25,12 +31,14 @@ references: + disa: CCI-001233 + nist: SI-2(2) + srg: SRG-OS-000191-GPOS-00080 ++ stigid@ol7: OL07-00-020019 + stigid@rhel7: RHEL-07-020019 + stigid@rhel8: RHEL-08-010001 ++ stigid@ubuntu2004: UBTU-20-010415 + + ocil_clause: 'the package is not installed' + +-ocil: '{{{ ocil_package(package="mcafeetp") }}}' ++ocil: '{{{ ocil_package(package=pkg) }}}' + + warnings: + - general: |- +@@ -41,7 +49,7 @@ warnings: + template: + name: package_installed + vars: +- pkgname: mcafeetp ++ pkgname: {{{ pkg }}} + backends: + bash: "off" + ansible: "off" + +From 7674ec00ff042551bd9469c2aa07bd79ce320933 Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Mon, 27 Sep 2021 13:35:34 +0200 +Subject: [PATCH 2/2] Add package_mcafeetp_installed to Ubuntu 20.04 STIG + Profile + +--- + products/ubuntu2004/profiles/stig.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile +index 90002996d06..a44039adf3d 100644 +--- a/products/ubuntu2004/profiles/stig.profile ++++ b/products/ubuntu2004/profiles/stig.profile +@@ -442,6 +442,7 @@ selections: + - encrypt_partitions + + # UBTU-20-010415 The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP). ++ - package_mcafeetp_installed + + # UBTU-20-010416 The Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + - permissions_local_var_log diff --git a/SOURCES/scap-security-guide-0.1.62-fix-antivirus-package-name-PR_8632.patch b/SOURCES/scap-security-guide-0.1.62-fix-antivirus-package-name-PR_8632.patch new file mode 100644 index 0000000..029b825 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.62-fix-antivirus-package-name-PR_8632.patch @@ -0,0 +1,22 @@ +From a30a42173dd0c15625db6d2f1fd57e0c61260a28 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 26 Apr 2022 16:53:14 +0200 +Subject: [PATCH] fix case of a package name + +--- + .../package_mcafeetp_installed/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +index b1da4909c20..3ec0ce14e30 100644 +--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +@@ -1,7 +1,7 @@ + {{% if 'ubuntu' in product %}} + {{% set pkg='mfetp' %}} + {{% else %}} +-{{% set pkg='mcafeetp' %}} ++{{% set pkg='McAfeeTP' %}} + {{% endif %}} + + documentation_complete: true diff --git a/SOURCES/scap-security-guide-0.1.62-update-rhel7-stig-v3r7-PR_8636.patch b/SOURCES/scap-security-guide-0.1.62-update-rhel7-stig-v3r7-PR_8636.patch new file mode 100644 index 0000000..3ab2e40 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.62-update-rhel7-stig-v3r7-PR_8636.patch @@ -0,0 +1,105 @@ +From 73540cf1c601bc07e064c024981f82804c3b5690 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 26 Apr 2022 18:51:38 +0200 +Subject: [PATCH 2/3] Update DISA RHEL7 STIG manual benchmark to V3R7. + +--- + ...f-manual.xml => disa-stig-rhel7-v3r7-xccdf-manual.xml} | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + rename shared/references/{disa-stig-rhel7-v3r6-xccdf-manual.xml => disa-stig-rhel7-v3r7-xccdf-manual.xml} (99%) + +diff --git a/shared/references/disa-stig-rhel7-v3r6-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r7-xccdf-manual.xml +similarity index 99% +rename from shared/references/disa-stig-rhel7-v3r6-xccdf-manual.xml +rename to shared/references/disa-stig-rhel7-v3r7-xccdf-manual.xml +index 62c5f363e18..2c680d73acc 100644 +--- a/shared/references/disa-stig-rhel7-v3r6-xccdf-manual.xml ++++ b/shared/references/disa-stig-rhel7-v3r7-xccdf-manual.xml +@@ -1,4 +1,4 @@ +-acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 27 Jan 20223.2.2.360791.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. ++acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 7 Benchmark Date: 27 Apr 20223.3.0.273751.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. + + Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71849SV-86473CCI-001494CCI-001496CCI-002165CCI-002235Run the following command to determine which package owns the file: + +@@ -921,7 +921,7 @@ Check to see if an encrypted grub superusers password is set. On systems that us + $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg + GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] + +-If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-010500The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. ++If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-010500The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. + + Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: + +@@ -942,7 +942,7 @@ Modify the "/etc/pam_pkcs11/pkcs11_eventmgr.conf" file to uncomment the followin + + #/usr/X11R6/bin/xscreensaver-command -lock + +-Modify the "/etc/pam_pkcs11/pam_pkcs11.conf" file to use the cackey module if required.Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication. ++Modify the "/etc/pam_pkcs11/pam_pkcs11.conf" file to use the cackey module if required.Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication. + + Check to see if smartcard authentication is enforced on the system: + +@@ -956,7 +956,7 @@ If "smartcard removal action" is blank, this is a finding. + + # authconfig --test | grep "smartcard module" + +-If "smartcard module" is blank, ask the administrator to indicate the AO-approved multifactor authentication in use and the configuration to support it. If there is no evidence of multifactor authentication, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-07-020000The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If any of the above checks are not configured, ask the administrator to indicate the AO-approved multifactor authentication in use and the configuration to support it. If there is no evidence of multifactor authentication, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-07-020000The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + + +From 515c21c754224f1ef861674ba96c6ff1501ca410 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 26 Apr 2022 18:53:05 +0200 +Subject: [PATCH 3/3] Update version of RHEL7 STIG profiles to V3R7. + +--- + products/rhel7/profiles/stig.profile | 4 ++-- + products/rhel7/profiles/stig_gui.profile | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile +index 06bc62e679b..da0efc12855 100644 +--- a/products/rhel7/profiles/stig.profile ++++ b/products/rhel7/profiles/stig.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V3R6 ++ version: V3R7 + SMEs: + - ggbecker + +@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG for Red Hat Enterprise Linux V3R6. ++ DISA STIG for Red Hat Enterprise Linux V3R7. + + In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/products/rhel7/profiles/stig_gui.profile b/products/rhel7/profiles/stig_gui.profile +index 932d0342c8e..24f2b886a74 100644 +--- a/products/rhel7/profiles/stig_gui.profile ++++ b/products/rhel7/profiles/stig_gui.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V3R6 ++ version: V3R7 + SMEs: + - ggbecker + +@@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 7' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG with GUI for Red Hat Enterprise Linux V3R6. ++ DISA STIG with GUI for Red Hat Enterprise Linux V3R7. + + In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this + configuration baseline as applicable to the operating system tier of diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index fa75cc6..5483bc9 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -7,7 +7,7 @@ Name: scap-security-guide Version: 0.1.57 -Release: 6%{?dist} +Release: 8%{?dist} Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base @@ -101,6 +101,9 @@ Patch81: scap-security-guide-0.1.61-update_RHEL_08_010385-PR_8220.patch Patch82: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch Patch83: scap-security-guide-0.1.61-update_RHEL7_STIG-PR_8225.patch Patch84: add-include-remediation-back-to-sudo_require_reauthentication.patch +Patch85: scap-security-guide-0.1.59-add-jinja-support-to-antivirus-rule-PR_7656.patch +Patch86: scap-security-guide-0.1.62-fix-antivirus-package-name-PR_8632.patch +Patch87: scap-security-guide-0.1.62-update-rhel7-stig-v3r7-PR_8636.patch BuildArch: noarch @@ -203,6 +206,14 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{_builddir}/%{name}-%{versio %endif %changelog +* Tue May 03 2022 Watson Sato - 0.1.57-8 +- Remove warning how to override audit buffer (RHBZ#1993822) + +* Wed Apr 27 2022 Watson Sato - 0.1.57-7 +- Add warning how to override audit buffer (RHBZ#1993822) +- Fix name of antivirus package in STIG profile (RHBZ#2066321) +- Update RHEL7 DISA STIG profile to v3r7 (RHBZ#2079217) + * Fri Feb 25 2022 Gabriel Becker - 0.1.57-6 - Fix bash remediation of sudo_require_reauthentication (RHBZ#2049532)