From 3fba5ec874f0269d81af9bca90e524703980345d Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 14 Nov 2022 15:46:12 +0100 Subject: [PATCH 1/5] Update ocil and fixtext in fapolicy_default_deny Rules are stored in different places depending on the system version. These changes are now explicit in ocil and fixtext. In RHEL8.6 it was introduced the rules.d feature and together the fagenrules script which reads and concatenate the rules from rules.d to finally save the result in the /etc/fapolicyd/compiled.rules file. --- .../services/fapolicyd/fapolicy_default_deny/rule.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml index 5b9a1649571..eeecd34e69a 100644 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml @@ -39,10 +39,14 @@ ocil: |- permissive = 0 - Check that fapolicyd employs a deny-all policy on system mounts with the following command: + Check that fapolicyd employs a deny-all policy on system mounts with the following commands: + For RHEL 8.5 systems and older: $ sudo tail /etc/fapolicyd/fapolicyd.rules + For RHEL 8.6 systems and newer: + $ sudo tail /etc/fapolicyd/compiled.rules + allow exe=/usr/bin/python3.7 : ftype=text/x-python deny_audit perm=any pattern=ld_so : all deny perm=any all : all @@ -54,8 +58,12 @@ fixtext: |- permissive = 1 + For RHEL 8.5 systems and older: Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all". + For RHEL 8.6 systems and newer: + Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all". + Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file. permissive = 0 From 0b4eaa7e7d96600eef42ad45524e0b4c6e003990 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 17 Nov 2022 09:40:20 +0100 Subject: [PATCH 2/5] Refactored the OVAL assessment for fapolicy_default_deny Firsly the existing checks were aligned to the style guides and the comments were reviewed. The regex used to identify the expected policy was also fixed since it wasn't ensuring the deny policy if defined in a wrong position. Finally, it was extended the assessment to consider the /etc/fapolicyd/compiled.rules file. --- .../fapolicy_default_deny/oval/shared.xml | 64 +++++++++++++------ 1 file changed, 43 insertions(+), 21 deletions(-) diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml index 9989459ad22..40bdcf870ca 100644 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml @@ -4,36 +4,58 @@ oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy") }}} - - + + + + + - - + + - - + + + /etc/fapolicyd/compiled.rules + ^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z + 1 + + + + + + + /etc/fapolicyd/fapolicyd.rules - (^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$ + ^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z 1 - - - + + + + - + + /etc/fapolicyd/fapolicyd.conf ^\s*permissive\s*=\s*(\d+) - 1 + 1 - - 0 - + + + 0 + From a0fc2ee0b58404ca642804a8977eca6b77fb6807 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 17 Nov 2022 10:32:51 +0100 Subject: [PATCH 3/5] Refactored the test scenario scripts The scripts were invalid and wrongly reporting results. The main issue was in scripts which intended to create two lines in a file but were overwriting the entire file in the second command instead of append the second line. The scripts were also refactored to consider systems using the rules.d feature and also older systems which doesn't have the rules.d feature. Another issue was that "no_quotes" was false by default in the bash_shell_file_set macro, but the fapolicyd.conf doesn't expect quotes and this was causing inconsistency in the file, so the no_quotes was set to true when calling the macro from test scenarios. Finally the scripts names were better aligned to their respective scenarios. --- .../tests/allow_policy.fail.sh | 18 ++++++++++++++++++ .../tests/commented_value.fail.sh | 12 ------------ .../tests/correct_value.pass.sh | 12 ------------ .../tests/deny_not_last.fail.sh | 12 ------------ .../tests/deny_policy.pass.sh | 18 ++++++++++++++++++ .../tests/deny_policy_but_permissive.fail.sh | 16 ++++++++++++++++ .../tests/deny_policy_commented.fail.sh | 18 ++++++++++++++++++ .../tests/deny_policy_not_ensured.fail.sh | 18 ++++++++++++++++++ .../tests/fapolicy_permissive.fail.sh | 5 ----- .../tests/wrong_value.fail.sh | 11 ----------- 10 files changed, 88 insertions(+), 52 deletions(-) create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh new file mode 100644 index 00000000000..23d7e699056 --- /dev/null +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# packages = fapolicyd +# remediation = none + +{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} + +if [ -f /etc/fapolicyd/compiled.rules ]; then + active_rules_file="/etc/fapolicyd/compiled.rules" +else + active_rules_file="/etc/fapolicyd/fapolicyd.rules" +fi + +truncate -s 0 $active_rules_file + +echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file +echo "allow perm=any all : all" >> $active_rules_file + +{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh deleted file mode 100644 index a8df835af76..00000000000 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# packages = fapolicyd -# remediation = none - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} - -truncate -s 0 /etc/fapolicyd/fapolicyd.rules - -echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules -echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh deleted file mode 100644 index c88406b0be4..00000000000 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# packages = fapolicyd -# remediation = none - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} - -truncate -s 0 /etc/fapolicyd/fapolicyd.rules - -echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules -echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh deleted file mode 100644 index 59b16308563..00000000000 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# packages = fapolicyd -# remediation = none - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} - -truncate -s 0 /etc/fapolicyd/fapolicyd.rules - -echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules -echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh new file mode 100644 index 00000000000..f3ff83ca602 --- /dev/null +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# packages = fapolicyd +# remediation = none + +{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} + +if [ -f /etc/fapolicyd/compiled.rules ]; then + active_rules_file="/etc/fapolicyd/compiled.rules" +else + active_rules_file="/etc/fapolicyd/fapolicyd.rules" +fi + +truncate -s 0 $active_rules_file + +echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file +echo "deny perm=any all : all" >> $active_rules_file + +{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh new file mode 100644 index 00000000000..caa401ca174 --- /dev/null +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# packages = fapolicyd +# remediation = none + +{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} + +if [ -f /etc/fapolicyd/compiled.rules ]; then + active_rules_file="/etc/fapolicyd/compiled.rules" +else + active_rules_file="/etc/fapolicyd/fapolicyd.rules" +fi + +truncate -s 0 $active_rules_file + +echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file +echo "deny perm=any all : all" >> $active_rules_file diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh new file mode 100644 index 00000000000..4e4bc430cec --- /dev/null +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# packages = fapolicyd +# remediation = none + +{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} + +if [ -f /etc/fapolicyd/compiled.rules ]; then + active_rules_file="/etc/fapolicyd/compiled.rules" +else + active_rules_file="/etc/fapolicyd/fapolicyd.rules" +fi + +truncate -s 0 $active_rules_file + +echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file +echo "# deny perm=any all : all" >> $active_rules_file + +{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh new file mode 100644 index 00000000000..b52e5446afc --- /dev/null +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# packages = fapolicyd +# remediation = none + +{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} + +if [ -f /etc/fapolicyd/compiled.rules ]; then + active_rules_file="/etc/fapolicyd/compiled.rules" +else + active_rules_file="/etc/fapolicyd/fapolicyd.rules" +fi + +truncate -s 0 $active_rules_file + +echo "deny perm=any all : all" >> $active_rules_file +echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file + +{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh deleted file mode 100644 index 50756a0e7a3..00000000000 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -# packages = fapolicyd -# remediation = none - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh deleted file mode 100644 index da3e33f57fd..00000000000 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -# packages = fapolicyd -# remediation = none - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}} - -truncate -s 0 /etc/fapolicyd/fapolicyd.rules - -echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}} From 0b731cf7a0433111311ab5e427a54d2f6c1b9d14 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 17 Nov 2022 11:02:34 +0100 Subject: [PATCH 4/5] Fixed bash_shell_file_set macro to consider spaces Once the test scenario scripts were fixed, an issue was revelead in bash_shell_file_set macro. The macro was not considering config files which have spaces before and after the separator carachter. Since the separator_regex parameter already expects regex format, it was easily extended. --- shared/macros/10-bash.jinja | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index ae0f0e5e6ad..0e369314645 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -122,13 +122,13 @@ fi {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}} {{% if no_quotes -%}} {{% if "$" in value %}} - {{% set value = '%s' % value.replace("$", "\\$") %}} + {{% set value = '%s' % value.replace("$", "\\$") %}} {{% endif %}} {{%- else -%}} {{% if "$" in value %}} - {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}} + {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}} {{% else %}} - {{% set value = "'%s'" % value %}} + {{% set value = "'%s'" % value %}} {{% endif %}} {{%- endif -%}} {{{ set_config_file( @@ -140,7 +140,7 @@ fi insert_before="^#\s*" ~ parameter, insensitive=false, separator="=", - separator_regex="=", + separator_regex="\s*=\s*", prefix_regex="^\s*") }}} {{%- endmacro -%}} From 3a8101e921f7b0b5e261fdbf4b42bf210fcccf78 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 18 Nov 2022 09:58:47 +0100 Subject: [PATCH 5/5] Use jinja to limit the RHEL 8 minor version text The change is intended to avoid that RHEL 9 and OL get RHEL 8 minor version text. --- .../guide/services/fapolicyd/fapolicy_default_deny/rule.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml index eeecd34e69a..220801bc471 100644 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml @@ -41,10 +41,12 @@ ocil: |- Check that fapolicyd employs a deny-all policy on system mounts with the following commands: + {{%- if product in ["rhel8"] %}} For RHEL 8.5 systems and older: $ sudo tail /etc/fapolicyd/fapolicyd.rules For RHEL 8.6 systems and newer: + {{%- endif %}} $ sudo tail /etc/fapolicyd/compiled.rules allow exe=/usr/bin/python3.7 : ftype=text/x-python @@ -58,10 +60,12 @@ fixtext: |- permissive = 1 + {{%- if product in ["rhel8"] %}} For RHEL 8.5 systems and older: Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all". For RHEL 8.6 systems and newer: + {{%- endif %}} Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all". Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.