import scap-security-guide-0.1.72-1.el9_3

c9 imports/c9/scap-security-guide-0.1.72-1.el9_3
MSVSphere Packaging Team 9 months ago
parent 4c0eef54db
commit 3147133809

2
.gitignore vendored

@ -1 +1 @@
SOURCES/scap-security-guide-0.1.69.tar.bz2
SOURCES/scap-security-guide-0.1.72.tar.bz2

@ -1 +1 @@
60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2
e10feed870a3553b75798fbee88c27c95b84c7c2 SOURCES/scap-security-guide-0.1.72.tar.bz2

@ -1,91 +0,0 @@
From d98cffdc7ebd3c266e71ead933d401188ef0d66a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Dec 2023 16:05:37 +0100
Subject: [PATCH 07/14] Add rule `package_s-nail-installed`
Patch-name: scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
Patch-status: Add rule `package_s-nail-installed`
---
components/s-nail.yml | 5 +++
.../srg_gpos/SRG-OS-000363-GPOS-00150.yml | 1 +
.../mail/package_s-nail_installed/rule.yml | 33 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 1 -
4 files changed, 39 insertions(+), 1 deletion(-)
create mode 100644 components/s-nail.yml
create mode 100644 linux_os/guide/services/mail/package_s-nail_installed/rule.yml
diff --git a/components/s-nail.yml b/components/s-nail.yml
new file mode 100644
index 0000000000..d93f8c52dc
--- /dev/null
+++ b/components/s-nail.yml
@@ -0,0 +1,5 @@
+name: s-nail
+packages:
+- s-nail
+rules:
+- package_s-nail_installed
diff --git a/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml b/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
index 3ffba82f03..05a10a2304 100644
--- a/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
+++ b/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
@@ -7,4 +7,5 @@ controls:
rules:
- aide_periodic_cron_checking
- package_aide_installed
+ - package_s-nail_installed
status: automated
diff --git a/linux_os/guide/services/mail/package_s-nail_installed/rule.yml b/linux_os/guide/services/mail/package_s-nail_installed/rule.yml
new file mode 100644
index 0000000000..e14fbc9f35
--- /dev/null
+++ b/linux_os/guide/services/mail/package_s-nail_installed/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+prodtype: rhel9
+
+title: 'The s-nail Package Is Installed'
+
+description: |-
+ A mail server is required for sending emails.
+ {{{ describe_package_install(package="s-nail") }}}
+
+rationale: |-
+ Emails can be used to notify designated personnel about important
+ system events such as failures or warnings.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-86608-7
+
+references:
+ disa: CCI-001744
+ nist: CM-3(5)
+ srg: SRG-OS-000363-GPOS-00150
+
+ocil_clause: 'the package is not installed'
+
+ocil: '{{{ ocil_package(package="s-nail") }}}'
+
+template:
+ name: package_installed
+ vars:
+ pkgname: s-nail
+
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ef6afd3fbe..538d9d488d 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -315,7 +315,6 @@ CCE-86604-6
CCE-86605-3
CCE-86606-1
CCE-86607-9
-CCE-86608-7
CCE-86609-5
CCE-86610-3
CCE-86612-9
--
2.43.0

@ -1,52 +0,0 @@
From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 8 Aug 2023 15:15:21 +0200
Subject: [PATCH] Remove kernel cmdline check
The OVAL in rule enable_fips_mode contains multiple checks. One
of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
Although this is useful for latest RHEL versions, this file doesn't
exist on RHEL 8.6 and 9.0. This causes that the rule fails after
remediation on these RHEL versions.
We want the same OVAL behavior on all minor RHEL releases, therefore
we will remove this test from the OVAL completely.
Related to: https://github.com/ComplianceAsCode/content/pull/10897
---
.../fips/enable_fips_mode/oval/shared.xml | 15 ---------------
1 file changed, 15 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 88aae7aaab9..3b50e07060e 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -12,8 +12,6 @@
comment="system cryptography policy is configured"/>
<criterion test_ref="test_system_crypto_policy_value"
comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
- <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
@@ -57,19 +55,6 @@
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
- check="all" check_existence="all_exist"
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
- <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
- <ind:state state_ref="state_fips_1_argument_in_captured_group" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
- <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
<ind:variable_test id="test_system_crypto_policy_value" version="1"
check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />

@ -1,272 +0,0 @@
From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 27 Jul 2023 10:02:08 +0200
Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects
This commit only improves readability without any technical impact in
the OVAL logic.
---
.../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++-------
1 file changed, 50 insertions(+), 31 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index fe3f96f52a5..0ec076a5fb7 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -1,32 +1,38 @@
<def-group>
- <definition class="compliance" id="enable_fips_mode" version="1">
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
<criteria operator="AND">
- <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
- <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
- <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
- <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
- <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
+ <extend_definition definition_ref="etc_system_fips_exists"
+ comment="check /etc/system-fips exists"/>
+ <extend_definition definition_ref="sysctl_crypto_fips_enabled"
+ comment="check sysctl crypto.fips_enabled = 1"/>
+ <extend_definition definition_ref="enable_dracut_fips_module"
+ comment="Dracut FIPS module is enabled"/>
+ <extend_definition definition_ref="configure_crypto_policy"
+ comment="system cryptography policy is configured"/>
+ <criterion test_ref="test_system_crypto_policy_value"
+ comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
+ <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
+ comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
- <extend_definition comment="Generic test for s390x architecture"
- definition_ref="system_info_architecture_s390_64" />
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+ <extend_definition definition_ref="system_info_architecture_s390_64"
+ comment="Generic test for s390x architecture"/>
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
</criteria>
<criteria operator="AND">
<criteria negate="true">
- <extend_definition comment="Generic test for NOT s390x architecture"
- definition_ref="system_info_architecture_s390_64" />
+ <extend_definition definition_ref="system_info_architecture_s390_64"
+ comment="Generic test for NOT s390x architecture"/>
</criteria>
{{% if product in ["ol8", "rhel8"] %}}
- <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
- test_ref="test_grubenv_fips_mode" />
+ <criterion test_ref="test_grubenv_fips_mode"
+ comment="check if the kernel boot parameter is configured for FIPS mode"/>
{{% else %}}
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
{{% endif %}}
</criteria>
</criteria>
@@ -34,58 +40,71 @@
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
- check="all" check_existence="all_exist" version="1">
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
+ check="all" check_existence="all_exist"
+ comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
<ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+
<ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
- check="all" check_existence="all_exist" version="1">
+
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
+ check="all" check_existence="all_exist"
+ comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
<ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
<ind:pattern operation="pattern match">^(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
+ <ind:variable_test id="test_system_crypto_policy_value" version="1"
+ check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />
<ind:state state_ref="ste_system_crypto_policy_value" />
</ind:variable_test>
+
<ind:variable_object id="obj_system_crypto_policy_value" version="1">
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
</ind:variable_object>
- <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
+
+ <ind:variable_state id="ste_system_crypto_policy_value" version="2"
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
{{% if product in ["ol9","rhel9"] -%}}
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
{{%- else %}}
- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
+ {{# Legacy and more relaxed list of crypto policies that were historically considered
+ FIPS-compatible. More recent products should use the more restricted list of options #}}
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
{{%- endif %}}
</ind:variable_state>
+
{{% if product in ["ol8","rhel8"] %}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" id="test_grubenv_fips_mode"
- comment="Fips mode selected in running kernel opts" version="1">
+ <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
+ check="all" check_existence="all_exist"
+ comment="Fips mode selected in running kernel opts">
<ind:object object_ref="obj_grubenv_fips_mode" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_grubenv_fips_mode"
- version="1">
+
+ <ind:textfilecontent54_object id="obj_grubenv_fips_mode" version="1">
<ind:filepath>/boot/grub2/grubenv</ind:filepath>
<ind:pattern operation="pattern match">fips=1</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{% endif %}}
- <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
+
+ <external_variable id="var_system_crypto_policy" version="1"
+ datatype="string" comment="defined crypto policy"/>
</def-group>
From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 27 Jul 2023 10:20:33 +0200
Subject: [PATCH 2/2] Improve OVAL comments for better readability
Simplified the comments and aligned the respective lines to the
project Style Guides.
---
.../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++---------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 0ec076a5fb7..88aae7aaab9 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -3,36 +3,36 @@
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
<criteria operator="AND">
<extend_definition definition_ref="etc_system_fips_exists"
- comment="check /etc/system-fips exists"/>
+ comment="check /etc/system-fips file existence"/>
<extend_definition definition_ref="sysctl_crypto_fips_enabled"
- comment="check sysctl crypto.fips_enabled = 1"/>
+ comment="check option crypto.fips_enabled = 1 in sysctl"/>
<extend_definition definition_ref="enable_dracut_fips_module"
- comment="Dracut FIPS module is enabled"/>
+ comment="dracut FIPS module is enabled"/>
<extend_definition definition_ref="configure_crypto_policy"
comment="system cryptography policy is configured"/>
<criterion test_ref="test_system_crypto_policy_value"
- comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
+ comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
<criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
<extend_definition definition_ref="system_info_architecture_s390_64"
- comment="Generic test for s390x architecture"/>
+ comment="generic test for s390x architecture"/>
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
</criteria>
<criteria operator="AND">
<criteria negate="true">
<extend_definition definition_ref="system_info_architecture_s390_64"
- comment="Generic test for NOT s390x architecture"/>
+ comment="generic test for non-s390x architecture"/>
</criteria>
{{% if product in ["ol8", "rhel8"] %}}
<criterion test_ref="test_grubenv_fips_mode"
comment="check if the kernel boot parameter is configured for FIPS mode"/>
{{% else %}}
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
{{% endif %}}
</criteria>
</criteria>
@@ -42,7 +42,7 @@
<ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
check="all" check_existence="all_exist"
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
+ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf">
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
@@ -59,7 +59,7 @@
<ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
check="all" check_existence="all_exist"
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
@@ -71,7 +71,7 @@
</ind:textfilecontent54_object>
<ind:variable_test id="test_system_crypto_policy_value" version="1"
- check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
+ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />
<ind:state state_ref="ste_system_crypto_policy_value" />
</ind:variable_test>
@@ -81,7 +81,8 @@
</ind:variable_object>
<ind:variable_state id="ste_system_crypto_policy_value" version="2"
- comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds
+to a crypto policy module that further restricts the modified crypto policy.">
{{% if product in ["ol9","rhel9"] -%}}
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
{{%- else %}}
@@ -94,7 +95,7 @@
{{% if product in ["ol8","rhel8"] %}}
<ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
check="all" check_existence="all_exist"
- comment="Fips mode selected in running kernel opts">
+ comment="FIPS mode is selected in running kernel options">
<ind:object object_ref="obj_grubenv_fips_mode" />
</ind:textfilecontent54_test>
@@ -106,5 +107,5 @@
{{% endif %}}
<external_variable id="var_system_crypto_policy" version="1"
- datatype="string" comment="defined crypto policy"/>
+ datatype="string" comment="variable which selects the crypto policy"/>
</def-group>

@ -1,263 +0,0 @@
From 09b4ceaba513e23ee933349f8a89b9c9b7dc1c26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 6 Dec 2023 10:02:00 +0100
Subject: [PATCH 14/14] Add variable support to `auditd_name_format` rule
Patch-name: scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
Patch-status: Add variable support to `auditd_name_format` rule
---
controls/srg_gpos.yml | 1 +
.../auditd_name_format/ansible/shared.yml | 7 +-
.../auditd_name_format/bash/shared.sh | 7 +-
.../auditd_name_format/oval/shared.xml | 49 ++++-
.../auditd_name_format/rule.yml | 23 ++-
.../var_auditd_flush.var | 2 +-
.../var_auditd_name_format.var | 18 ++
products/rhel7/profiles/stig.profile | 1 +
products/rhel8/profiles/stig.profile | 1 +
.../data/profile_stability/rhel8/stig.profile | 1 +
.../profile_stability/rhel8/stig_gui.profile | 1 +
15 files changed, 289 insertions(+), 24 deletions(-)
create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
index 1be70cf332..45fe8635c0 100644
--- a/controls/srg_gpos.yml
+++ b/controls/srg_gpos.yml
@@ -29,3 +29,4 @@ controls:
- var_auditd_space_left_action=email
- login_banner_text=dod_banners
- var_authselect_profile=sssd
+ - var_auditd_name_format=stig
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
index c933228357..015e9d6eff 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
@@ -10,9 +10,14 @@
{{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}}
{{%- endif %}}
+{{{ ansible_instantiate_variables("var_auditd_name_format") }}}
+
+- name: "{{{ rule_title }}} - Define Value to Be Used in the Remediation"
+ ansible.builtin.set_fact: auditd_name_format_split="{{ var_auditd_name_format.split('|')[0] }}"
+
{{{ ansible_set_config_file(file=auditd_conf_path,
parameter="name_format",
- value="hostname",
+ value="{{ auditd_name_format_split }}",
create=true,
separator=" = ",
separator_regex="\s*=\s*",
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
index 67a1203dd5..a08fddc901 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
@@ -10,9 +10,14 @@
{{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}}
{{%- endif %}}
+
+{{{ bash_instantiate_variables("var_auditd_name_format") }}}
+
+var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)"
+
{{{set_config_file(path=auditd_conf_path,
parameter="name_format",
- value="hostname",
+ value="$var_auditd_name_format",
create=true,
insensitive=true,
separator=" = ",
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
index 1bb86958fa..a98a46773b 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
@@ -3,10 +3,47 @@
{{% else %}}
{{% set audisp_conf_file = "/auditd.conf" %}}
{{% endif %}}
+<def-group>
+ <definition class="compliance" id="auditd_name_format" version="1">
+ <metadata>
+ <title>Set type of computer node name logging in audit logs</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Ensure 'name_format' is configured with value 'hostname|fdq|numeric' in {{{ audisp_conf_path + audisp_conf_file }}}</description>
+ </metadata>
+ <criteria comment="The respective application or service is configured correctly"
+ operator="OR"><criterion comment="Check the name_format in {{{ audisp_conf_path + audisp_conf_file }}}"
+ test_ref="test_auditd_name_format" />
+ </criteria>
+ </definition>
-{{{ oval_check_config_file(
- path=audisp_conf_path + audisp_conf_file,
- prefix_regex="^[ \\t]*(?i)",
- parameter="name_format",
- value="(?i)hostname(?-i)",
- separator_regex="(?-i)[ \\t]*=[ \\t]*") }}}
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="tests the value of name_format setting in the {{{ audisp_conf_path + audisp_conf_file }}} file"
+ id="test_auditd_name_format" version="1">
+ <ind:object object_ref="obj_auditd_name_format" />
+ <ind:state state_ref="state_auditd_name_format" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_auditd_name_format" version="1">
+ <ind:filepath>{{{ audisp_conf_path + audisp_conf_file }}}</ind:filepath>
+ <ind:pattern operation="pattern match">^[ \t]*(?i)name_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_auditd_name_format" version="1">
+ <ind:subexpression operation="pattern match" var_ref="var_auditd_name_format_regex" />
+ </ind:textfilecontent54_state>
+
+ <local_variable datatype="string" id="var_auditd_name_format_regex" version="1"
+ comment="Build regex to be case insensitive">
+ <concat>
+ <literal_component>(?i)</literal_component>
+ <variable_component var_ref="var_auditd_name_format"/>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="audit name_format setting" datatype="string"
+ id="var_auditd_name_format" version="1" />
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
index 76a908f28f..4ee80e3d07 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
@@ -1,11 +1,11 @@
documentation_complete: true
-title: 'Set hostname as computer node name in audit logs'
+title: 'Set type of computer node name logging in audit logs'
description: |-
- To configure Audit daemon to use value returned by gethostname
- syscall as computer node name in the audit events,
- set <tt>name_format</tt> to <tt>hostname</tt>
+ To configure Audit daemon to use a unique identifier
+ as computer node name in the audit events,
+ set <tt>name_format</tt> to <tt>{{{ xccdf_value("var_auditd_name_format") }}}</tt>
in <tt>/etc/audit/auditd.conf</tt>.
rationale: |-
@@ -32,17 +32,22 @@ references:
stigid@rhel8: RHEL-08-030062
stigid@rhel9: RHEL-09-653060
-ocil_clause: name_format isn't set to hostname
+ocil_clause: name_format isn't set to {{{ xccdf_value("var_auditd_name_format") }}}
ocil: |-
- To verify that Audit Daemon is configured to record the hostname
- in audit events, run the following command:
+ To verify that Audit Daemon is configured to record the computer node
+ name in the audit events, run the following command:
<pre>$ sudo grep name_format /etc/audit/auditd.conf</pre>
The output should return the following:
- <pre>name_format = hostname</pre>
+ <pre>name_format = {{{ xccdf_value("var_auditd_name_format") }}}</pre>
+
+warnings:
+ - general: |-
+ Whenever the variable <pre>var_auditd_name_format</pre> uses a multiple value option, for example
+ <pre>A|B|C</pre>, the first value will be used when remediating this rule.
fixtext: |-
- {{{ fixtext_audit_configuration(param="name_format", value="hostname") | indent(4) }}}
+ {{{ fixtext_audit_configuration(param="name_format", value=xccdf_value("var_auditd_name_format")) | indent(4) }}}
srg_requirement: |-
{{{ full_name }}} must label all off-loaded audit logs before sending them to the central log server.
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
index 3ae67d484a..f7b0bc5b8f 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
@@ -13,5 +13,5 @@ options:
default: data
incremental: incremental
incremental_async: incremental_async
- none: none
+ none: "none"
sync: sync
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
new file mode 100644
index 0000000000..75cc597038
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'Type of hostname to record the audit event'
+
+description: 'Type of hostname to record the audit event'
+
+type: string
+
+interactive: false
+
+options:
+ default: hostname
+ hostname: hostname
+ fqd: fqd
+ numeric: numeric
+ user: user
+ none: "none"
+ stig: hostname|fqd|numeric
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
index 6483dfe3da..1e1e50765a 100644
--- a/products/rhel7/profiles/stig.profile
+++ b/products/rhel7/profiles/stig.profile
@@ -335,6 +335,7 @@ selections:
- accounts_authorized_local_users
- auditd_overflow_action
- auditd_name_format
+ - var_auditd_name_format=stig
- sebool_ssh_sysadm_login
- sudoers_default_includedir
- package_aide_installed
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 0e136784a1..3914fae78f 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -707,6 +707,7 @@ selections:
# RHEL-08-030062
- auditd_name_format
+ - var_auditd_name_format=stig
# RHEL-08-030063
- auditd_log_format
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 7aabec8694..60dc9d3a50 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -473,6 +473,7 @@ selections:
- var_auditd_disk_error_action=rhel8
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=rhel8
+- var_auditd_name_format=stig
- var_sssd_certificate_verification_digest_function=sha1
- login_banner_text=dod_banners
- var_authselect_profile=sssd
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index bef1437536..b77c8eab2f 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -481,6 +481,7 @@ selections:
- var_auditd_disk_error_action=rhel8
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=rhel8
+- var_auditd_name_format=stig
- var_sssd_certificate_verification_digest_function=sha1
- login_banner_text=dod_banners
- var_authselect_profile=sssd
--
2.43.0

@ -1,21 +0,0 @@
From 509c117acea0cc7a8457752cbdb4b8e7a6ca27d7 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 15 Aug 2023 15:17:16 +0200
Subject: [PATCH] remove rules not relevant to RHEL 9 from STIG profile
rules have no remediation for RHEL 9, syntax for RHEL 9 is also different than RHEL 8
---
controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml | 2 --
1 file changed, 2 deletions(-)
diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
index d5fe6e1327b..9d9dc579fc4 100644
--- a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
+++ b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
@@ -7,6 +7,4 @@ controls:
rules:
- sshd_enable_pam
- sysctl_crypto_fips_enabled
- - harden_sshd_ciphers_openssh_conf_crypto_policy
- - harden_sshd_macs_openssh_conf_crypto_policy
status: automated

@ -1,30 +0,0 @@
From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 17 Aug 2023 10:50:09 +0200
Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
---
products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
2 files changed, 4 insertions(+)
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel8/profiles/anssi_bp28_high.profile
+++ b/products/rhel8/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel9/profiles/anssi_bp28_high.profile
+++ b/products/rhel9/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'

@ -1,104 +0,0 @@
From cfbc85e51f15d106dd3cf03ef2fc7cd4f3c5d251 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Dec 2023 16:05:37 +0100
Subject: [PATCH 06/14] Update sshd_approved_ciphers value for RHEL in STIG
profile
Patch-name: scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
Patch-status: Update sshd_approved_ciphers value for RHEL in STIG profile
---
controls/srg_gpos.yml | 2 +-
products/rhel8/profiles/stig.profile | 2 +-
tests/data/profile_stability/rhel8/stig.profile | 6 +++---
tests/data/profile_stability/rhel8/stig_gui.profile | 6 +++---
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
index 65d58d5291..1be70cf332 100644
--- a/controls/srg_gpos.yml
+++ b/controls/srg_gpos.yml
@@ -20,7 +20,7 @@ controls:
- var_password_hashing_algorithm=SHA512
- var_password_pam_dictcheck=1
- sshd_approved_macs=stig_extended
- - sshd_approved_ciphers=stig
+ - sshd_approved_ciphers=stig_extended
- sshd_idle_timeout_value=10_minutes
- var_accounts_authorized_local_users_regex=rhel8
- var_account_disable_post_pw_expiration=35
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 5be8fb8127..0e136784a1 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -51,7 +51,7 @@ selections:
- var_password_pam_minlen=15
- var_sshd_set_keepalive=1
- sshd_approved_macs=stig_extended
- - sshd_approved_ciphers=stig
+ - sshd_approved_ciphers=stig_extended
- sshd_idle_timeout_value=10_minutes
- var_accounts_authorized_local_users_regex=rhel8
- var_accounts_passwords_pam_faillock_deny=3
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 3fe7cdf4ea..7aabec8694 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -1,6 +1,6 @@
description: 'This profile contains configuration checks that align to the
- DISA STIG for Red Hat Enterprise Linux 8 V1R9.
+ DISA STIG for Red Hat Enterprise Linux 8 V1R11.
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -22,7 +22,7 @@ description: 'This profile contains configuration checks that align to the
- Red Hat Containers with a Red Hat Enterprise Linux 8 image'
extends: null
metadata:
- version: V1R10
+ version: V1R11
SMEs:
- mab879
- ggbecker
@@ -455,7 +455,7 @@ selections:
- var_password_pam_retry=3
- var_sshd_set_keepalive=1
- sshd_approved_macs=stig_extended
-- sshd_approved_ciphers=stig
+- sshd_approved_ciphers=stig_extended
- sshd_idle_timeout_value=10_minutes
- var_accounts_authorized_local_users_regex=rhel8
- var_accounts_passwords_pam_faillock_deny=3
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 66ada8588f..bef1437536 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -1,6 +1,6 @@
description: 'This profile contains configuration checks that align to the
- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R9.
+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R11.
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -33,7 +33,7 @@ description: 'This profile contains configuration checks that align to the
standard DISA STIG for Red Hat Enterprise Linux 8 profile.'
extends: null
metadata:
- version: V1R10
+ version: V1R11
SMEs:
- mab879
- ggbecker
@@ -463,7 +463,7 @@ selections:
- var_password_pam_retry=3
- var_sshd_set_keepalive=1
- sshd_approved_macs=stig_extended
-- sshd_approved_ciphers=stig
+- sshd_approved_ciphers=stig_extended
- sshd_idle_timeout_value=10_minutes
- var_accounts_authorized_local_users_regex=rhel8
- var_accounts_passwords_pam_faillock_deny=3
--
2.43.0

@ -1,212 +0,0 @@
From f0998f93828e756111294eb4c733fad77febd493 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 6 Dec 2023 10:31:53 +0100
Subject: [PATCH 15/15] Update ssh stig HMACS and Ciphers allowed in OL8 STIG
Patch-name: scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
Patch-status: Update ssh stig HMACS and Ciphers allowed in OL8 STIG
---
linux_os/guide/services/ssh/sshd_approved_ciphers.var | 1 +
.../tests/rhel8_stig_correct.pass.sh | 5 +++--
.../tests/rhel8_stig_empty_policy.fail.sh | 2 +-
.../tests/rhel8_stig_incorrect_policy.fail.sh | 2 +-
.../tests/rhel8_stig_missing_file.fail.sh | 2 +-
.../harden_sshd_macs_openssh_conf_crypto_policy/rule.yml | 4 ++--
.../tests/stig_correct.pass.sh | 5 +++--
.../tests/stig_correct_commented.fail.sh | 5 +++--
.../stig_correct_followed_by_incorrect_commented.pass.sh | 5 +++--
.../stig_incorrect_followed_by_correct_commented.fail.sh | 5 +++--
.../rule.yml | 4 ++--
products/ol8/profiles/stig.profile | 4 ++--
12 files changed, 25 insertions(+), 19 deletions(-)
diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
index 65c3fde987..4ab4d36cef 100644
--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var
+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
@@ -12,6 +12,7 @@ interactive: false
options:
stig: aes256-ctr,aes192-ctr,aes128-ctr
+ stig_extended: aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
cis_sle12: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
index c84e0c1576..34b69406a3 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
@@ -1,8 +1,9 @@
#!/bin/bash
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
-sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
configfile=/etc/crypto-policies/back-ends/opensshserver.config
correct_value="-oCiphers=${sshd_approved_ciphers}"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
index 66483e898a..60b4616ce5 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
@@ -1,6 +1,6 @@
#!/bin/bash
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
configfile=/etc/crypto-policies/back-ends/opensshserver.config
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
index e350ce5f0a..3eca150b3f 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
@@ -1,6 +1,6 @@
#!/bin/bash
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
configfile=/etc/crypto-policies/back-ends/opensshserver.config
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
index 11b194db03..f8659efcf0 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
@@ -1,6 +1,6 @@
#!/bin/bash
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
configfile=/etc/crypto-policies/back-ends/opensshserver.config
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
index 8736e39afc..547c31545e 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
@@ -12,7 +12,7 @@ description: |-
To check that Crypto Policies settings are configured correctly, ensure that
<tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
line and is not commented out:
- <tt>MACs hmac-sha2-512,hmac-sha2-256</tt>
+ <tt>MACs {{{ xccdf_value("sshd_approved_macs") }}}</tt>
rationale: |-
Overriding the system crypto policy makes the behavior of the OpenSSH
@@ -38,7 +38,7 @@ ocil: |-
To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
<pre>$ grep -i macs /etc/crypto-policies/back-ends/openssh.config</pre>
and verify that the line matches:
- <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
+ <pre>MACs {{{ xccdf_value("sshd_approved_macs") }}}</pre>
warnings:
- general: |-
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
index 6edae50924..49d18486f3 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
@@ -1,8 +1,9 @@
#!/bin/bash
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
configfile=/etc/crypto-policies/back-ends/openssh.config
# Ensure directory + file is there
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
index 0fec46a5c3..b068e2ea4d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
@@ -1,8 +1,9 @@
#!/bin/bash
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
configfile=/etc/crypto-policies/back-ends/openssh.config
# Ensure directory + file is there
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
index 95bf94331c..f57f422701 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
@@ -1,8 +1,9 @@
#!/bin/bash
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
configfile=/etc/crypto-policies/back-ends/openssh.config
# Ensure directory + file is there
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
index 4af43d60e7..999463e1c2 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
@@ -1,8 +1,9 @@
#!/bin/bash
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
-# profiles = xccdf_org.ssgproject.content_profile_stig
+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
incorrect_sshd_approved_macs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
configfile=/etc/crypto-policies/back-ends/openssh.config
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
index f08f120f9a..a76cee71d8 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
@@ -12,7 +12,7 @@ description: |-
To check that Crypto Policies settings are configured correctly, ensure that
<tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
text and is not commented out:
- <tt>-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</tt>
+ <tt>-oMACS={{{ xccdf_value("sshd_approved_macs") }}}</tt>
rationale: |-
Overriding the system crypto policy makes the behavior of the OpenSSH
@@ -38,7 +38,7 @@ ocil: |-
To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
<pre>$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
and verify that the line matches:
- <pre>-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</pre>
+ <pre>-oMACS={{{ xccdf_value("sshd_approved_macs") }}}</pre>
warnings:
- general: |-
diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
index ae2795c4fb..2be62c59ca 100644
--- a/products/ol8/profiles/stig.profile
+++ b/products/ol8/profiles/stig.profile
@@ -38,8 +38,8 @@ selections:
- var_password_pam_retry=3
- var_password_pam_minlen=15
- var_sshd_set_keepalive=0
- - sshd_approved_macs=stig
- - sshd_approved_ciphers=stig
+ - sshd_approved_macs=stig_extended
+ - sshd_approved_ciphers=stig_extended
- sshd_idle_timeout_value=10_minutes
- var_accounts_authorized_local_users_regex=ol8
- var_accounts_passwords_pam_faillock_deny=3
--
2.43.0

@ -1,158 +0,0 @@
From 1927922065ba7cab8e389d6b2e4ec014be491bed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Dec 2023 16:05:37 +0100
Subject: [PATCH 09/14] Add cron.deny Owership Rules
Patch-name: scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
Patch-status: Add cron.deny Owership Rules
---
components/cronie.yml | 2 +
.../srg_gpos/SRG-OS-000480-GPOS-00227.yml | 2 +
.../file_groupowner_cron_deny/rule.yml | 39 ++++++++++++++++++
.../cron_and_at/file_owner_cron_deny/rule.yml | 41 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 2 -
5 files changed, 84 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
create mode 100644 linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
diff --git a/components/cronie.yml b/components/cronie.yml
index c11edb518e..b8bf7f264a 100644
--- a/components/cronie.yml
+++ b/components/cronie.yml
@@ -8,6 +8,8 @@ rules:
- disable_anacron
- file_at_deny_not_exist
- file_cron_deny_not_exist
+- file_owner_cron_deny
+- file_groupowner_cron_deny
- file_groupowner_at_allow
- file_groupowner_cron_allow
- file_groupowner_cron_d
diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
index be60a154c1..d78256777c 100644
--- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
+++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -64,6 +64,8 @@ controls:
- file_permissions_ungroupowned
- dir_perms_world_writable_root_owned
- no_files_unowned_by_user
+ - file_owner_cron_deny
+ - file_groupowner_cron_deny
# service disabled
# - service_rngd_enabled - this rule was removed because it does bring questionable value on modern systems
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
new file mode 100644
index 0000000000..7cacc3fc7b
--- /dev/null
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+prodtype: rhel9
+
+title: 'Verify Group Who Owns cron.deny'
+
+description: |-
+ {{{ describe_file_group_owner(file="/etc/cron.deny", group="root") }}}
+
+rationale: |-
+ Service configuration files enable or disable features of their respective services that if configured incorrectly
+ can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
+ correct group to prevent unauthorized changes.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-86537-8
+
+
+references:
+ disa: CCI-000366
+ nist: CM-6 b
+ srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.deny", group="root") }}}'
+
+ocil: |-
+ {{{ ocil_file_group_owner(file="/etc/cron.deny", group="root") }}}
+
+fixtext: '{{{ fixtext_file_group_owner(file="/etc/cron.deny/", group="root") }}}'
+
+srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/cron.deny", group="root") }}}'
+
+template:
+ name: file_groupowner
+ vars:
+ filepath: /etc/cron.deny
+ gid_or_name: '0'
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
new file mode 100644
index 0000000000..4297313a74
--- /dev/null
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel9
+
+title: 'Verify Owner on cron.deny'
+
+description: |-
+ {{{ describe_file_owner(file="/etc/cron.deny", owner="root") }}}
+
+rationale: |-
+ Service configuration files enable or disable features of their respective services that if configured incorrectly
+ can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
+ correct user to prevent unauthorized changes.
+
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-86887-7
+
+references:
+ disa: CCI-000366
+ nist: CM-6 b
+ srg: SRG-OS-000480-GPOS-00227
+
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.deny", owner="root") }}}'
+
+ocil: |-
+ {{{ ocil_file_owner(file="/etc/cron.deny", owner="root") }}}
+
+fixtext: '{{{ fixtext_file_owner(file="/etc/cron.deny/", owner="root") }}}'
+
+srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/cron.deny", owner="root") }}}'
+
+template:
+ name: file_owner
+ vars:
+ filepath: /etc/cron.deny
+ fileuid: '0'
+
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 60663b117a..8ae1e4186f 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -259,7 +259,6 @@ CCE-86528-7
CCE-86530-3
CCE-86535-2
CCE-86536-0
-CCE-86537-8
CCE-86538-6
CCE-86539-4
CCE-86540-2
@@ -516,7 +515,6 @@ CCE-86880-2
CCE-86881-0
CCE-86882-8
CCE-86886-9
-CCE-86887-7
CCE-86888-5
CCE-86889-3
CCE-86890-1
--
2.43.0

File diff suppressed because one or more lines are too long

@ -1,26 +0,0 @@
From eb4cedf1097bb556134a03648a99c60b16fa4726 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Dec 2023 16:22:29 +0100
Subject: [PATCH 12/14] Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
Patch-name: scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
Patch-status: Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
---
.../bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
index fef91a47df..3df07a5689 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
@@ -45,6 +45,7 @@ references:
nist-csf: PR.AC-4,PR.DS-5
pcidss: Req-7.1
pcidss4: "2.2.6"
+ srg: SRG-OS-000480-GPOS-00227
stigid@rhel9: RHEL-09-212030
ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/grub.cfg", owner="root") }}}'
--
2.43.0

@ -1,26 +0,0 @@
From 89c7d9f8e9837383047b036c9a42a9986590f307 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Dec 2023 16:22:29 +0100
Subject: [PATCH 11/14] Add var_networkmanager_dns_mode to RHEL 9 STIG
Patch-name: scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
Patch-status: Add var_networkmanager_dns_mode to RHEL 9 STIG
---
controls/stig_rhel9.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
index 0966ebb6fc..b576ba08c3 100644
--- a/controls/stig_rhel9.yml
+++ b/controls/stig_rhel9.yml
@@ -1516,6 +1516,7 @@ controls:
title: RHEL 9 must configure a DNS processing mode set be Network Manager.
rules:
- networkmanager_dns_mode
+ - var_networkmanager_dns_mode=none
status: automated
- id: RHEL-09-252045
--
2.43.0

@ -1,294 +0,0 @@
From 6f11431ae6ff21170b11e6777141cbe33a8ffe42 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Dec 2023 16:05:37 +0100
Subject: [PATCH 08/14] New Rule networkmanager_dns_mode
Patch-name: scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
Patch-status: New Rule networkmanager_dns_mode
---
components/networkmanager.yml | 5 +++
.../srg_gpos/SRG-OS-000480-GPOS-00227.yml | 4 +++
.../system/network/networkmanager/group.yml | 7 ++++
.../ansible/shared.yml | 14 ++++++++
.../networkmanager_dns_mode/bash/shared.sh | 11 ++++++
.../networkmanager_dns_mode/oval/shared.xml | 12 +++++++
.../policy/stig/shared.yml | 15 ++++++++
.../networkmanager_dns_mode/rule.yml | 34 +++++++++++++++++++
.../tests/correct.pass.sh | 8 +++++
.../tests/correct_default.pass.sh | 8 +++++
.../tests/missing.fail.sh | 4 +++
.../tests/wrong_value.fail.sh | 8 +++++
.../var_networkmanager_dns_mode.var | 19 +++++++++++
shared/applicability/package.yml | 2 ++
shared/references/cce-redhat-avail.txt | 1 -
15 files changed, 151 insertions(+), 1 deletion(-)
create mode 100644 components/networkmanager.yml
create mode 100644 linux_os/guide/system/network/networkmanager/group.yml
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
create mode 100644 linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
diff --git a/components/networkmanager.yml b/components/networkmanager.yml
new file mode 100644
index 0000000000..75d54b9490
--- /dev/null
+++ b/components/networkmanager.yml
@@ -0,0 +1,5 @@
+name: NetworkManager
+packages:
+- NetworkManager
+rules:
+- networkmanager_dns_mode
diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
index 1aceb0b187..be60a154c1 100644
--- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
+++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -225,6 +225,10 @@ controls:
- set_firewalld_default_zone
- firewalld_sshd_port_enabled
+ # NetworkManger
+ - networkmanager_dns_mode
+ - var_networkmanager_dns_mode=none
+
# misc
- enable_authselect
- no_host_based_files
diff --git a/linux_os/guide/system/network/networkmanager/group.yml b/linux_os/guide/system/network/networkmanager/group.yml
new file mode 100644
index 0000000000..4abf48ed96
--- /dev/null
+++ b/linux_os/guide/system/network/networkmanager/group.yml
@@ -0,0 +1,7 @@
+documentation_complete: true
+
+title: 'Network Manager'
+
+description: |-
+ The NetworkManager daemon configures a variety of network connections.
+ This section discusses how to configure NetworkManager.
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
new file mode 100644
index 0000000000..b416038bd9
--- /dev/null
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
@@ -0,0 +1,14 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_networkmanager_dns_mode") }}}
+
+{{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ var_networkmanager_dns_mode }}") }}}
+
+- name: "{{{ rule_title }}} - Ensure Network Manager"
+ ansible.builtin.systemd:
+ name: NetworkManager
+ state: reloaded
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
new file mode 100644
index 0000000000..88491d288d
--- /dev/null
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
@@ -0,0 +1,11 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+{{{ bash_instantiate_variables("var_networkmanager_dns_mode") }}}
+
+{{{ bash_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "$var_networkmanager_dns_mode") }}}
+
+systemctl reload NetworkManager
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
new file mode 100644
index 0000000000..cb07c9a9ed
--- /dev/null
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
@@ -0,0 +1,12 @@
+{{{
+oval_check_ini_file(
+ path="/etc/NetworkManager/NetworkManager.conf",
+ section="main",
+ parameter="dns",
+ value="default|none",
+ missing_parameter_pass=false,
+ application="NetworkManager",
+ multi_value=false,
+ missing_config_file_fail=true
+)
+}}}
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
new file mode 100644
index 0000000000..b644587b41
--- /dev/null
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
@@ -0,0 +1,15 @@
+checktext: |-
+ [main]
+ dns=none
+
+ If the dns key under main does not exist or is not set to "none" or "default", this is a finding.
+
+fixtext: |-
+ Configure NetworkManager in RHEL 9 to use a DNS mode.
+
+ In "/etc/NetworkManager/NetworkManager.conf" add the following line in the "[main]" section:
+
+ dns = none
+
+srg_requirement: |-
+ {{ full_name }} must configure a DNS processing mode set be Network Manager.
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
new file mode 100644
index 0000000000..8b703cb2f1
--- /dev/null
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: rhel9
+
+title: 'NetworkManager DNS Mode Must Be Must Configured'
+
+description:
+ The DNS processing mode in NetworkManager describes how DNS is processed on the system.
+ Depending the mode some changes the system's DNS may not be respected.
+
+rationale:
+ To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-86805-9
+
+references:
+ disa: CCI-000366
+ nist: CM-6(b)
+ srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: 'the dns key under main does not exist or is not set to "none" or "default"'
+
+
+ocil: |-
+ Verify that {{{ full_name }}} has a DNS mode configured in Network Manager.
+
+ $ NetworkManager --print-config
+ [main]
+ dns={{{ xccdf_value("var_networkmanager_dns_mode") }}}
+
+platform: package[NetworkManager]
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
new file mode 100644
index 0000000000..7af3e14fc3
--- /dev/null
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_networkmanager_dns_mode = none
+# packages = NetworkManager
+
+cat > /etc/NetworkManager/NetworkManager.conf << EOM
+[main]
+dns=none
+EOM
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
new file mode 100644
index 0000000000..a19040e2d5
--- /dev/null
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_networkmanager_dns_mode = default
+# packages = NetworkManager
+
+cat > /etc/NetworkManager/NetworkManager.conf << EOM
+[main]
+dns=default
+EOM
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
new file mode 100644
index 0000000000..b81d82c807
--- /dev/null
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# variables = var_networkmanager_dns_mode = default
+
+sed '/^dns=.*$/d' /etc/NetworkManager/NetworkManager.conf
diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..6de904b372
--- /dev/null
+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_networkmanager_dns_mode = default
+# packages = NetworkManager
+
+cat > /etc/NetworkManager/NetworkManager.conf << EOM
+[main]
+dns=dnsmasq
+EOM
diff --git a/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var b/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
new file mode 100644
index 0000000000..1be615dff9
--- /dev/null
+++ b/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'NetoworkManager DNS Mode'
+
+type: string
+
+description: |-
+ This sets how NetworkManager handles DNS.
+
+ none - NetworkManager will not modify resolv.conf.
+ default - NetworkManager will update /etc/resolv.conf to reflect the nameservers provided by currently active connections.
+
+interactive: true
+
+operator: 'equals'
+
+options:
+ none: none
+ default: default
diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml
index ee52a50f1f..4718c7cf71 100644
--- a/shared/applicability/package.yml
+++ b/shared/applicability/package.yml
@@ -87,3 +87,5 @@ args:
pkgname: zypper
openssh:
pkgname: openssh
+ networkmanager:
+ pkgname: NetworkManager
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 538d9d488d..60663b117a 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -459,7 +459,6 @@ CCE-86799-4
CCE-86802-6
CCE-86803-4
CCE-86804-2
-CCE-86805-9
CCE-86806-7
CCE-86807-5
CCE-86808-3
--
2.43.0

@ -1,67 +0,0 @@
From 9062da533315a871939f3c22d4154e1f4141d432 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Dec 2023 16:22:30 +0100
Subject: [PATCH 13/14] Minor modifications to RHEL STIG profiles
Patch-name: scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
Patch-status: Minor modifications to RHEL STIG profiles
---
controls/stig_rhel9.yml | 2 +-
.../password_quality/passwd_system-auth_substack/rule.yml | 1 -
.../audit_rules_immutable_login_uids/rule.yml | 1 +
.../auditing/policy_rules/audit_immutable_login_uids/rule.yml | 2 --
4 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
index b576ba08c3..73d9e9e1aa 100644
--- a/controls/stig_rhel9.yml
+++ b/controls/stig_rhel9.yml
@@ -4114,7 +4114,7 @@ controls:
- medium
title: RHEL 9 audit system must protect logon UIDs from unauthorized change.
rules:
- - audit_immutable_login_uids
+ - audit_rules_immutable_login_uids
status: automated
- id: RHEL-09-654275
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
index 89b82af3f2..55d3e47a54 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
@@ -19,7 +19,6 @@ references:
nist: IA-5(1)(a),IA-5(1).1(v),IA-5(1)(a)
srg: SRG-OS-000069-GPOS-00037
stigid@ol7: OL07-00-010118
- stigid@rhel7: RHEL-07-010118
ocil_clause: '/etc/pam.d/passwd does not implement /etc/pam.d/system-auth'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
index 46e249efbb..6a8ea53fc5 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
@@ -33,6 +33,7 @@ references:
disa: CCI-000162,CCI-000163,CCI-000164
srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
stigid@rhel8: RHEL-08-030122
+ stigid@rhel9: RHEL-09-654270
ocil_clause: 'the system is not configured to make login UIDs immutable'
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
index 9f2f7dbc11..dbf1015a19 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
@@ -35,8 +35,6 @@ references:
ospp: FAU_GEN.1.2
srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
stigid@ol8: OL08-00-030122
- stigid@rhel8: RHEL-08-030122
- stigid@rhel9: RHEL-09-654270
ocil_clause: 'the file does not exist or the content differs'
--
2.43.0

@ -5,39 +5,12 @@
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide
Version: 0.1.69
Release: 3%{?dist}
Version: 0.1.72
Release: 1%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Fix rule enable_fips_mode
Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
# remove rules harden_sshd_(macs/ciphers)_openssh_conf_crypto_policy from STIG profile
Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
# Update sshd_approved_ciphers value for RHEL in STIG profile
Patch5: scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
# Add rule `package_s-nail-installed`
Patch6: scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
# New Rule networkmanager_dns_mode
Patch7: scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
# Add cron.deny Owership Rules
Patch8: scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
# Add RHEL 9 STIG
Patch9: scap-security-guide-0.1.71-add_rhel9_stig-PR_11193.patch
# Add var_networkmanager_dns_mode to RHEL 9 STIG
Patch10: scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
# Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
Patch11: scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
# Minor modifications to RHEL STIG profiles
Patch12: scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
# Add variable support to `auditd_name_format` rule
Patch13: scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
# Update ssh stig HMACS and Ciphers allowed in OL8 STIG
Patch14: scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
BuildArch: noarch
BuildRequires: libxslt
@ -125,6 +98,15 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif
%changelog
* Tue Feb 13 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
- Rebase to a new upstream release 0.1.72 (RHEL-21425)
- Check dropin files in /etc/systemd/journald.conf.d/ (RHEL-14484)
- Fix remediation to not update comments (RHEL-1484)
- Fix package check on SCAP tests for dnf settings (RHEL-17417)
- Update description for audit_rules_kernel_module_loading (RHEL-1489)
- Disable remediation for /dev/shm options in offline mode (RHEL-16801)
- Include explanatory comment in the remediation of CCE-83871-4 (RHEL-17418)
* Tue Dec 05 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-3
- Align STIG profile with official DISA STIG for RHEL 9 (RHEL-1807)

Loading…
Cancel
Save