commit d4e70e3a158dec60324abf14dc4a6641a3eab9a2 Author: CentOS Sources Date: Tue Nov 15 01:45:20 2022 -0500 import scap-security-guide-0.1.63-5.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..17ac62d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/scap-security-guide-0.1.63.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata new file mode 100644 index 0000000..1bcd25e --- /dev/null +++ b/.scap-security-guide.metadata @@ -0,0 +1 @@ +b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2 diff --git a/SOURCES/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch b/SOURCES/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch new file mode 100644 index 0000000..9970f6d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch @@ -0,0 +1,2093 @@ +From 1f53aae9b711466ce3d8f5d72d544c16024b6f7f Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 13:21:36 +0200 +Subject: [PATCH 01/18] add ppc64le applicability platform + +--- + shared/applicability/arch.yml | 6 ++++ + ...proc_sys_kernel_osrelease_arch_ppc64le.xml | 33 +++++++++++++++++++ + 2 files changed, 39 insertions(+) + create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml + +diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml +index cb64a037192..1223001846a 100644 +--- a/shared/applicability/arch.yml ++++ b/shared/applicability/arch.yml +@@ -28,3 +28,9 @@ cpes: + bash_conditional: 'grep -q aarch64 /proc/sys/kernel/osrelease' + ansible_conditional: 'ansible_architecture == "aarch64"' + ++ - ppc64le_arch: ++ name: "cpe:/a:ppc64le_arch" ++ title: "System architecture is ppc64le" ++ check_id: proc_sys_kernel_osrelease_arch_ppc64le ++ bash_conditional: 'grep -q ppc64le /proc/sys/kernel/osrelease' ++ ansible_conditional: 'ansible_architecture == "ppc64le"' +diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml +new file mode 100644 +index 00000000000..058de0db5e7 +--- /dev/null ++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml +@@ -0,0 +1,33 @@ ++ ++ ++ ++ Test that the architecture is ppc64le ++ ++ multi_platform_all ++ ++ Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /proc/sys/kernel/osrelease ++ ^.*\.(.*)$ ++ 1 ++ ++ ++ ++ ^ppc64le$ ++ ++ + +From ced2b8699637af0f75786bd07f2944a6febaa531 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 13:46:47 +0200 +Subject: [PATCH 02/18] add audit_access_failed_ppc64le + +--- + .../policy_rules/audit_access_failed/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 ++++++ + .../audit_access_failed_ppc64le/rule.yml | 54 +++++++++++++++++++ + 3 files changed, 70 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml +index 87fc33ad041..74f92b94762 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml +@@ -28,7 +28,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..412c67f15a1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..f764da506e9 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +@@ -0,0 +1,54 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful file accesses (ppc64le)' ++ ++{{% set file_contents_audit_access_failed = ++"## Unsuccessful file access (any other opens) This has to go last. ++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access ++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to access a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_access_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85953-8 ++ cce@rhel9: CCE-85955-3 ++ ++references: ++ ism: 0582,0584,05885,0586,0846,0957 ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_access_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules ++ contents: |- ++ {{{ file_contents_audit_access_failed|indent(12) }}} + +From 6c9b276ce50932934afa4e1af38ee5cd88166580 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 13:56:29 +0200 +Subject: [PATCH 03/18] add audit_access_success ppc64le + +--- + .../audit_access_success/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 ++++++ + .../audit_access_success_ppc64le/rule.yml | 54 +++++++++++++++++++ + 3 files changed, 70 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml +index 284ed1756ff..7646d5f9f4b 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml +@@ -27,7 +27,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..372b7c27c76 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +new file mode 100644 +index 00000000000..b76fe0b4a4e +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +@@ -0,0 +1,54 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful file accesses (ppc64le)' ++ ++{{% set file_contents_audit_access_success = ++"## Successful file access (any other opens) This has to go last. ++## These next two are likely to result in a whole lot of events ++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access" %}} ++ ++description: |- ++ Ensure that successful attempts to access a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_access_success|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing of successful attempts to access a file helps in investigation of activities performed on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85960-3 ++ cce@rhel9: CCE-85961-1 ++ ++references: ++ ism: 0582,0584,05885,0586,0846,0957 ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_access_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules ++ contents: |- ++ {{{ file_contents_audit_access_success|indent(12) }}} + +From 7a343648d9e206a1b981f4235daeb9dd3cd475dc Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:01:03 +0200 +Subject: [PATCH 04/18] add audit_create_failed ppc64le + +--- + .../policy_rules/audit_create_failed/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 +++++ + .../audit_create_failed_ppc64le/rule.yml | 57 +++++++++++++++++++ + 3 files changed, 73 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml +index f4da514e080..ac5e1f97413 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml +@@ -36,7 +36,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..08c8dc85507 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..ead598f8b9a +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +@@ -0,0 +1,57 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful file creations (ppc64le)' ++ ++{{% set file_contents_audit_create_failed = ++"## Unsuccessful file creation (open with O_CREAT) ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to create a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_create_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85962-9 ++ cce@rhel9: CCE-85965-2 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_create_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules ++ contents: |- ++ {{{ file_contents_audit_create_failed|indent(12) }}} + +From c433196a29cfcf5b3dca2f3cde7dc230f43a181e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:03:38 +0200 +Subject: [PATCH 05/18] add audit_create_success ppc64le + +--- + .../audit_create_success/rule.yml | 2 +- + .../audit_create_success_ppc64le/rule.yml | 54 +++++++++++++++++++ + 2 files changed, 55 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml +index 43e8674178b..21e71077030 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml +@@ -30,7 +30,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +new file mode 100644 +index 00000000000..294947c14ba +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml +@@ -0,0 +1,54 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful file creations (ppc64le)' ++ ++{{% set file_contents_audit_create_success = ++"## Successful file creation (open with O_CREAT) ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create" %}} ++ ++description: |- ++ Ensure that successful attempts to create a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_create_success |indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing of successful attempts to create a file helps in investigation of actions which happened on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85966-0 ++ cce@rhel9: CCE-85968-6 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_create_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules ++ contents: |- ++ {{{ file_contents_audit_create_success|indent(12) }}} + +From d8593e7d56ed85f34f228b24526b703eed141071 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:07:50 +0200 +Subject: [PATCH 06/18] add audit_delete_failed ppc64le + +--- + .../policy_rules/audit_delete_failed/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 +++++ + .../audit_delete_failed_ppc64le/rule.yml | 65 +++++++++++++++++++ + 3 files changed, 81 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +index 07ed41a9c4f..5ac68376970 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +@@ -28,7 +28,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..2fb2c25aa30 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..c8c532cb3bb +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +@@ -0,0 +1,65 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful file deletions (ppc64le)' ++ ++{{% set file_contents_audit_delete_failed = ++"## Unsuccessful file delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to delete a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_delete_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85969-4 ++ cce@rhel9: CCE-85970-2 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_delete_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules ++ contents: |- ++ {{{ file_contents_audit_delete_failed|indent(12) }}} ++ ++fixtext: |- ++ Configure {{{ full_name }}} to audit all unsuccessful attempts to delete a file. ++ ++ Create file "/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules" with the exactly following content: ++ ++ {{{ file_contents_audit_delete_failed|indent(4) }}} ++ ++ Then, run the following commands: ++ ++ $ sudo chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules ++ $ sudo augenrules --load + +From 364e30b710df1f58a004edce60cfc6043d0aed3b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:12:20 +0200 +Subject: [PATCH 07/18] add audit_delete_success ppc64le + +--- + .../audit_delete_success/rule.yml | 2 +- + .../kubernetes/shared.yml | 7 ++ + .../audit_delete_success_ppc64le/rule.yml | 64 +++++++++++++++++++ + 3 files changed, 72 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml +index 93b42e3f4d6..b2fc0cca348 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml +@@ -26,7 +26,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..3734328c9e1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,7 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++ ++{{% set file_contents = """## Successful file delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete""" -%}} ++ ++{{{- kubernetes_machine_config_file(path='/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules', file_permissions_mode='0600', source=file_contents) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +new file mode 100644 +index 00000000000..35362051948 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +@@ -0,0 +1,64 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful file deletions (ppc64le)' ++ ++{{% set file_contents_audit_delete_success = ++"## Successful file delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete" %}} ++ ++description: |- ++ Ensure that successful attempts to delete a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_delete_success|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85974-4 ++ cce@rhel9: CCE-85976-9 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_delete_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules ++ contents: |- ++ {{{ file_contents_audit_delete_success|indent(12) }}} ++ ++fixtext: |- ++ Configure {{{ full_name }}} to audit all successful attempts to delete a file. ++ ++ Create file "/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules" with the exactly following content: ++ ++ {{{ file_contents_audit_delete_success|indent(4) }}} ++ ++ Then, run the following commands: ++ ++ $ sudo chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules ++ $ sudo augenrules --load + +From 3bb8799b634e8ec164a6ff7287df92e9519c1a47 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:16:37 +0200 +Subject: [PATCH 08/18] add audit_modify_failed ppc64le + +--- + .../policy_rules/audit_modify_failed/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 +++++ + .../audit_modify_failed_ppc64le/rule.yml | 57 +++++++++++++++++++ + 3 files changed, 73 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml +index e4d042a50cb..16c7ca38e5a 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml +@@ -36,7 +36,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..f07ff3607ae +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..d5d11a0f214 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +@@ -0,0 +1,57 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful file modifications (ppc64le)' ++ ++{{% set file_contents_audit_modify_failed = ++"## Unsuccessful file modifications (open for write or truncate) ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to modify a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_modify_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85977-7 ++ cce@rhel9: CCE-85978-5 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_modify_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules ++ contents: |- ++ {{{ file_contents_audit_modify_failed|indent(12) }}} + +From 86196a6512dab40e8bed5a06ea0581f2290d5ad8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:20:01 +0200 +Subject: [PATCH 09/18] add audit modify_success ppc64le + +--- + .../audit_modify_success/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 +++++ + .../audit_modify_success_ppc64le/rule.yml | 55 +++++++++++++++++++ + 3 files changed, 71 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml +index 4c65055f577..cafc88f49b7 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml +@@ -31,7 +31,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..92310b9772e +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Successful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +new file mode 100644 +index 00000000000..e45015e5949 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +@@ -0,0 +1,55 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful file modifications (ppc64le)' ++ ++{{% set file_contents_audit_modify_success = ++"## Successful file modifications (open for write or truncate) ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification" %}} ++ ++description: |- ++ Ensure that successful attempts to modify a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_modify_success|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++ ++rationale: |- ++ Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85979-3 ++ cce@rhel9: CCE-85980-1 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_modify_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules ++ contents: |- ++ {{{ file_contents_audit_modify_success|indent(12) }}} + +From 4b3fc315e2e946f103826ac010a056390c906aca Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:23:45 +0200 +Subject: [PATCH 10/18] add audit_module_load ppc64le + +--- + .../policy_rules/audit_module_load/rule.yml | 3 ++ + .../kubernetes/shared.yml | 15 ++++++ + .../audit_module_load_ppc64le/rule.yml | 52 +++++++++++++++++++ + 3 files changed, 70 insertions(+) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml +index 5e840fca5a3..b04d879a9c0 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml +@@ -26,6 +26,9 @@ rationale: |- + + severity: medium + ++platforms: ++ - not ppc64le_arch ++ + identifiers: + cce@rhel8: CCE-82838-4 + cce@rhel9: CCE-90814-5 +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..231034a9c54 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20These%20rules%20watch%20for%20kernel%20module%20insertion.%20By%20monitoring%0A%23%23%20the%20syscall%2C%20we%20do%20not%20need%20any%20watches%20on%20programs.%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/43-module-load.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +new file mode 100644 +index 00000000000..3f59eecec86 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +@@ -0,0 +1,52 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of loading and unloading of kernel modules (ppc64le)' ++ ++{{% set file_contents_audit_module_load = ++"## These rules watch for kernel module insertion. By monitoring ++## the syscall, we do not need any watches on programs. ++-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load ++-a always,exit -F arch=b64 -S delete_module -F key=module-unload" %}} ++ ++description: |- ++ Ensure that loading and unloading of kernel modules is audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_module_load|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++rationale: |- ++ Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85981-9 ++ cce@rhel9: CCE-85982-7 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000475-GPOS-00220 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/43-module-load.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_module_load|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/43-module-load.rules ++ contents: |- ++ {{{ file_contents_audit_module_load|indent(12) }}} + +From 3265584f7f4396ee037f675a4994a1e85e26564b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:34:25 +0200 +Subject: [PATCH 11/18] add audit_ospp_general ppc64le + +--- + .../policy_rules/audit_ospp_general/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 ++ + .../audit_ospp_general_ppc64le/rule.yml | 132 ++++++++++++++++++ + 3 files changed, 148 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +index e82c5aee936..93417f4cf6d 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +@@ -109,7 +109,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..fa81ece03c6 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%20the%20following%20rule%20files%20copied%20to%20%2Fetc%2Faudit%2Frules.d%3A%0A%23%23%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%0A%23%23%2030-ospp-v42-1-create-failed.rules%2C%2030-ospp-v42-1-create-success.rules%2C%0A%23%23%2030-ospp-v42-2-modify-failed.rules%2C%2030-ospp-v42-2-modify-success.rules%2C%0A%23%23%2030-ospp-v42-3-access-failed.rules%2C%2030-ospp-v42-3-access-success.rules%2C%0A%23%23%2030-ospp-v42-4-delete-failed.rules%2C%2030-ospp-v42-4-delete-success.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-failed.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-success.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-failed.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-success.rules%0A%23%23%0A%23%23%20original%20copies%20may%20be%20found%20in%20%2Fusr%2Fshare%2Faudit%2Fsample-rules%2F%0A%0A%0A%23%23%20User%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20passwd%20and%0A%23%23%20shadow%20for%20writes%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A%0A%23%23%20User%20enable%20and%20disable.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Group%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20group%20and%0A%23%23%20gshadow%20for%20writes%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgroup%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A%0A%0A%23%23%20Use%20of%20special%20rights%20for%20config%20changes.%20This%20would%20be%20use%20of%20setuid%0A%23%23%20programs%20that%20relate%20to%20user%20accts.%20This%20is%20not%20all%20setuid%20apps%20because%0A%23%23%20requirements%20are%20only%20for%20ones%20that%20affect%20system%20configuration.%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Funix_chkpwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fusernetctl%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fuserhelper%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fseunshare%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fmount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgrp%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewuidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fgpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fumount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fcrontab%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fat%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Privilege%20escalation%20via%20su%20or%20sudo.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Watch%20for%20configuration%20changes%20to%20privilege%20escalation.%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fsudoers%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fsudoers.d%2F%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Audit%20log%20access%0A-a%20always%2Cexit%20-F%20dir%3D%2Fvar%2Flog%2Faudit%2F%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A%23%23%20Attempts%20to%20Alter%20Process%20and%20Session%20Initiation%20Information%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Frun%2Futmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fbtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fwtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A%0A%23%23%20Attempts%20to%20modify%20MAC%20controls%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fselinux%2F%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3DMAC-policy%0A%0A%23%23%20Software%20updates.%20This%20is%20entirely%20handled%20by%20rpm.%0A%0A%23%23%20System%20start%20and%20shutdown.%20This%20is%20entirely%20handled%20by%20systemd%0A%0A%23%23%20Kernel%20Module%20loading.%20This%20is%20handled%20in%2043-module-load.rules%0A%0A%23%23%20Application%20invocation.%20The%20requirements%20list%20an%20optional%20requirement%0A%23%23%20FPT_SRP_EXT.1%20Software%20Restriction%20Policies.%20This%20event%20is%20intended%20to%0A%23%23%20state%20results%20from%20that%20policy.%20This%20would%20be%20handled%20entirely%20by%0A%23%23%20that%20daemon.%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +new file mode 100644 +index 00000000000..8d408578c3a +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +@@ -0,0 +1,132 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Perform general configuration of Audit for OSPP (ppc64le)' ++ ++{{% set file_contents_audit_ospp_general = ++"## The purpose of these rules is to meet the requirements for Operating ++## System Protection Profile (OSPP)v4.2. These rules depends on having ++## the following rule files copied to /etc/audit/rules.d: ++## ++## 10-base-config.rules, 11-loginuid.rules, ++## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, ++## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, ++## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, ++## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, ++## 30-ospp-v42-5-perm-change-failed.rules, ++## 30-ospp-v42-5-perm-change-success.rules, ++## 30-ospp-v42-6-owner-change-failed.rules, ++## 30-ospp-v42-6-owner-change-success.rules ++## ++## original copies may be found in /usr/share/audit/sample-rules/ ++ ++ ++## User add delete modify. This is covered by pam. However, someone could ++## open a file and directly create or modify a user, so we'll watch passwd and ++## shadow for writes ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++ ++## User enable and disable. This is entirely handled by pam. ++ ++## Group add delete modify. This is covered by pam. However, someone could ++## open a file and directly create or modify a user, so we'll watch group and ++## gshadow for writes ++-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify ++-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify ++ ++ ++## Use of special rights for config changes. This would be use of setuid ++## programs that relate to user accts. This is not all setuid apps because ++## requirements are only for ones that affect system configuration. ++-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++ ++## Privilege escalation via su or sudo. This is entirely handled by pam. ++ ++## Watch for configuration changes to privilege escalation. ++-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes ++-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes ++ ++## Audit log access ++-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail ++## Attempts to Alter Process and Session Initiation Information ++-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++ ++## Attempts to modify MAC controls ++-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy ++ ++## Software updates. This is entirely handled by rpm. ++ ++## System start and shutdown. This is entirely handled by systemd ++ ++## Kernel Module loading. This is handled in 43-module-load.rules ++ ++## Application invocation. The requirements list an optional requirement ++## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to ++## state results from that policy. This would be handled entirely by ++## that daemon." %}} ++ ++description: |- ++ Configure some basic Audit parameters specific for OSPP profile. ++ In particular, configure Audit to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration. ++ Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_ospp_general|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with Audit logs, malicious access to files storing information about system users and groups etc. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85983-5 ++ cce@rhel9: CCE-85984-3 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000241-GPOS-00091,SRG-OS-000476-GPOS-00221,SRG-OS-000327-GPOS-00127,SRG-OS-000475-GPOS-00220,SRG-OS-000239-GPOS-00089,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_ospp_general|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42.rules ++ contents: |+ ++ {{{ file_contents_audit_ospp_general|indent(12) }}} ++#do not remove this comment, it stops Jinja from including more blank lines to the variable + +From 33d024e126e207e9b1e79b8946bcd2cf4cfc864c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 11 Jul 2022 11:08:54 +0200 +Subject: [PATCH 12/18] add audit_owner_change_failed ppc64le + +--- + .../audit_owner_change_failed/rule.yml | 2 +- + .../rule.yml | 53 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 - + 3 files changed, 54 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml +index 09c29fb1421..630c54693b5 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml +@@ -28,7 +28,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..6324bb4fd3b +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml +@@ -0,0 +1,53 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful ownership changes (ppc64le)' ++ ++{{% set file_contents_audit_owner_change_failed = ++"## Unsuccessful ownership change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to change an ownership of files or directories are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_owner_change_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85985-0 ++ cce@rhel9: CCE-85988-4 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_owner_change_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules ++ contents: |- ++ {{{ file_contents_audit_owner_change_failed|indent(12) }}} + +From a7d6fd67d0916baa324d9d342073b93f386004ce Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 11 Jul 2022 11:11:38 +0200 +Subject: [PATCH 13/18] add audit_owner_change_success aarch64 + +--- + .../audit_owner_change_success/rule.yml | 2 +- + .../rule.yml | 52 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 - + 3 files changed, 53 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml +index 934739fd043..744249d8740 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml +@@ -26,7 +26,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml +new file mode 100644 +index 00000000000..62639140885 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml +@@ -0,0 +1,52 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful ownership changes (ppc64le)' ++ ++{{% set file_contents_audit_owner_change_success = ++"## Successful ownership change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change" %}} ++ ++description: |- ++ Ensure that successful attempts to change an ownership of files or directories are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_owner_change_success|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85997-5 ++ cce@rhel9: CCE-85998-3 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_owner_change_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules ++ contents: |- ++ {{{ file_contents_audit_owner_change_success|indent(12) }}} + +From 0e86aaed2dbe0d215d73e02565ab7eaefe803c70 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 11 Jul 2022 11:13:57 +0200 +Subject: [PATCH 14/18] add audit_perm_change_failed for ppc64le + +--- + .../audit_perm_change_failed/rule.yml | 2 +- + .../audit_perm_change_failed_ppc64le/rule.yml | 53 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 - + 3 files changed, 54 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml +index 3f7db62b615..0870d41738e 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml +@@ -28,7 +28,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..e55de06efc0 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml +@@ -0,0 +1,53 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful permission changes (ppc64le)' ++ ++{{% set file_contents_audit_perm_change_failed = ++"## Unsuccessful permission change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to change file or directory permissions are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_perm_change_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85999-1 ++ cce@rhel9: CCE-86000-7 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_perm_change_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules ++ contents: |- ++ {{{ file_contents_audit_perm_change_failed|indent(12) }}} + +From c4df26914cc7dc0911f08950be391a31faae8d63 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 11 Jul 2022 11:16:05 +0200 +Subject: [PATCH 15/18] add audit_perm_change_success ppc64le + +--- + .../audit_perm_change_success/rule.yml | 2 +- + .../rule.yml | 52 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 - + 3 files changed, 53 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml +index 4a67bfde428..e0ff8648348 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml +@@ -26,7 +26,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml +new file mode 100644 +index 00000000000..0cbb0f60e0c +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml +@@ -0,0 +1,52 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful permission changes (ppc64le)' ++ ++{{% set file_contents_audit_perm_change_success = ++"## Successful permission change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change" %}} ++ ++description: |- ++ Ensure that successful attempts to modify permissions of files or directories are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_perm_change_success|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-86001-5 ++ cce@rhel9: CCE-86002-3 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_perm_change_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules ++ contents: |- ++ {{{ file_contents_audit_perm_change_success|indent(12) }}} + +From af066dd83f416d40eabe8b9cec584f726b37f14e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 11 Jul 2022 11:42:46 +0200 +Subject: [PATCH 16/18] add new rules to rhel9 ospp profile + +--- + products/rhel9/profiles/ospp.profile | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 1c97558669f..41930e4b840 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -279,35 +279,51 @@ selections: + - audit_immutable_login_uids + - audit_create_failed + - audit_create_failed_aarch64 ++ - audit_create_failed_ppc64le + - audit_create_success + - audit_create_success_aarch64 ++ - audit_create_success_ppc64le + - audit_modify_failed + - audit_modify_failed_aarch64 ++ - audit_modify_failed_ppc64le + - audit_modify_success + - audit_modify_success_aarch64 ++ - audit_modify_success_ppc64le + - audit_access_failed + - audit_access_failed_aarch64 ++ - audit_access_failed_ppc64le + - audit_access_success + - audit_access_success.severity=info + - audit_access_success.role=unscored + - audit_access_success_aarch64 + - audit_access_success_aarch64.severity=info + - audit_access_success_aarch64.role=unscored ++ - audit_access_success_ppc64le ++ - audit_access_success_ppc64le.severity=info ++ - audit_access_success_ppc64le.role=unscored + - audit_delete_failed + - audit_delete_failed_aarch64 ++ - audit_delete_failed_ppc64le + - audit_delete_success + - audit_delete_success_aarch64 ++ - audit_delete_success_ppc64le + - audit_perm_change_failed + - audit_perm_change_failed_aarch64 ++ - audit_perm_change_failed_ppc64le + - audit_perm_change_success + - audit_perm_change_success_aarch64 ++ - audit_perm_change_success_ppc64le + - audit_owner_change_failed + - audit_owner_change_failed_aarch64 ++ - audit_owner_change_failed_ppc64le + - audit_owner_change_success + - audit_owner_change_success_aarch64 ++ - audit_owner_change_success_ppc64le + - audit_ospp_general + - audit_ospp_general_aarch64 ++ - audit_ospp_general_ppc64le + - audit_module_load ++ - audit_module_load_ppc64le + + ## Enable Automatic Software Updates + ## SI-2 / FMT_MOF_EXT.1 (FMT_SMF_EXT.1) + +From 1fb5a22850fb1bfbaee76422ef57b3b631d4c91f Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 15 Jul 2022 10:40:07 +0200 +Subject: [PATCH 17/18] make newly added rules RHEL9 only + +- change their prodtype to rhel9 +- return rhel8 cces back to the pool +- make the platform in generic rule applicable only on rhel9 since on rhel8 the file content is the same regardless of the architecture +- remove rules from rhel8 profiles +--- + .../policy_rules/audit_access_failed/rule.yml | 4 ++++ + .../audit_access_failed_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_access_success/rule.yml | 4 ++++ + .../audit_access_success_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_create_failed/rule.yml | 4 ++++ + .../audit_create_failed_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_create_success/rule.yml | 4 ++++ + .../audit_create_success_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_delete_failed/rule.yml | 5 ++++- + .../audit_delete_failed_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_delete_success/rule.yml | 4 ++++ + .../audit_delete_success_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_modify_failed/rule.yml | 4 ++++ + .../audit_modify_failed_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_modify_success/rule.yml | 4 ++++ + .../audit_modify_success_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_module_load/rule.yml | 4 ++++ + .../audit_module_load_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_ospp_general/rule.yml | 4 ++++ + .../audit_ospp_general_ppc64le/rule.yml | 3 +-- + .../audit_owner_change_failed/rule.yml | 4 ++++ + .../audit_owner_change_failed_ppc64le/rule.yml | 3 +-- + .../audit_owner_change_success/rule.yml | 4 ++++ + .../audit_owner_change_success_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_perm_change_failed/rule.yml | 4 ++++ + .../audit_perm_change_failed_ppc64le/rule.yml | 3 +-- + .../audit_perm_change_success/rule.yml | 4 ++++ + .../audit_perm_change_success_ppc64le/rule.yml | 3 +-- + shared/references/cce-redhat-avail.txt | 14 ++++++++++++++ + 29 files changed, 84 insertions(+), 29 deletions(-) + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +index f764da506e9..6547b12e349 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful file accesses (ppc64le)' + +@@ -29,7 +29,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85953-8 + cce@rhel9: CCE-85955-3 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +index b76fe0b4a4e..6ec2fc3b32d 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful file accesses (ppc64le)' + +@@ -29,7 +29,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85960-3 + cce@rhel9: CCE-85961-1 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +index ead598f8b9a..7af3f3b5bbb 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful file creations (ppc64le)' + +@@ -33,7 +33,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85962-9 + cce@rhel9: CCE-85965-2 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml +index 294947c14ba..87bfe3de933 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful file creations (ppc64le)' + +@@ -30,7 +30,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85966-0 + cce@rhel9: CCE-85968-6 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +index c8c532cb3bb..30279c88b23 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful file deletions (ppc64le)' + +@@ -29,7 +29,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85969-4 + cce@rhel9: CCE-85970-2 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +index 35362051948..220e5d9ca78 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful file deletions (ppc64le)' + +@@ -28,7 +28,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85974-4 + cce@rhel9: CCE-85976-9 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +index d5d11a0f214..ae0931dcee3 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful file modifications (ppc64le)' + +@@ -33,7 +33,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85977-7 + cce@rhel9: CCE-85978-5 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +index e45015e5949..4c4b1c7d8e0 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful file modifications (ppc64le)' + +@@ -31,7 +31,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85979-3 + cce@rhel9: CCE-85980-1 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +index 3f59eecec86..4f8b06c5e2f 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of loading and unloading of kernel modules (ppc64le)' + +@@ -28,7 +28,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85981-9 + cce@rhel9: CCE-85982-7 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +index 8d408578c3a..3fe9257c0cc 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Perform general configuration of Audit for OSPP (ppc64le)' + +@@ -107,7 +107,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85983-5 + cce@rhel9: CCE-85984-3 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml +index 6324bb4fd3b..f0a7c78dd14 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful ownership changes (ppc64le)' + +@@ -29,7 +29,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85985-0 + cce@rhel9: CCE-85988-4 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml +index 62639140885..dd0cf8d7cca 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful ownership changes (ppc64le)' + +@@ -28,7 +28,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85997-5 + cce@rhel9: CCE-85998-3 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml +index e55de06efc0..71e5354753e 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful permission changes (ppc64le)' + +@@ -29,7 +29,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85999-1 + cce@rhel9: CCE-86000-7 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml +index 0cbb0f60e0c..282a2e316f4 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful permission changes (ppc64le)' + +@@ -28,7 +28,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-86001-5 + cce@rhel9: CCE-86002-3 + + references: + +From 3b4bc8b3bec38c27e67bde1ad34ff42c85e7cd94 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 18 Jul 2022 14:12:08 +0200 +Subject: [PATCH 18/18] fix CCE assignments after rebase + +--- + .../audit_access_failed_ppc64le/rule.yml | 2 +- + .../audit_access_success_ppc64le/rule.yml | 2 +- + .../audit_create_failed_ppc64le/rule.yml | 2 +- + .../audit_create_success_ppc64le/rule.yml | 2 +- + .../audit_delete_failed_ppc64le/rule.yml | 2 +- + .../audit_delete_success_ppc64le/rule.yml | 2 +- + .../audit_modify_failed_ppc64le/rule.yml | 2 +- + .../audit_modify_success_ppc64le/rule.yml | 2 +- + .../audit_module_load_ppc64le/rule.yml | 2 +- + .../audit_ospp_general_ppc64le/rule.yml | 2 +- + shared/references/cce-redhat-avail.txt | 20 ------------------- + 11 files changed, 10 insertions(+), 30 deletions(-) + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +index 6547b12e349..222290c9dd7 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +@@ -29,7 +29,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85955-3 ++ cce@rhel9: CCE-86001-5 + + references: + ism: 0582,0584,05885,0586,0846,0957 +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +index 6ec2fc3b32d..0091db466df 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +@@ -29,7 +29,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85961-1 ++ cce@rhel9: CCE-85999-1 + + references: + ism: 0582,0584,05885,0586,0846,0957 +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +index 7af3f3b5bbb..c85274a3540 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +@@ -33,7 +33,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85965-2 ++ cce@rhel9: CCE-85997-5 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml +index 87bfe3de933..54eb4be972d 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml +@@ -30,7 +30,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85968-6 ++ cce@rhel9: CCE-85985-0 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +index 30279c88b23..123a38cc0c6 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +@@ -29,7 +29,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85970-2 ++ cce@rhel9: CCE-90787-3 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +index 220e5d9ca78..f127ee47197 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +@@ -28,7 +28,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85976-9 ++ cce@rhel9: CCE-90789-9 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +index ae0931dcee3..22a90d645e3 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +@@ -33,7 +33,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85978-5 ++ cce@rhel9: CCE-90790-7 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +index 4c4b1c7d8e0..94b15c57c2f 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +@@ -31,7 +31,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85980-1 ++ cce@rhel9: CCE-90791-5 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +index 4f8b06c5e2f..486f0ba2d9e 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +@@ -28,7 +28,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85982-7 ++ cce@rhel9: CCE-90788-1 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +index 3fe9257c0cc..cb712714c19 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +@@ -107,7 +107,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85984-3 ++ cce@rhel9: CCE-90786-5 + + references: + nist: AU-2(a) diff --git a/SOURCES/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch b/SOURCES/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch new file mode 100644 index 0000000..2ac4abd --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch @@ -0,0 +1,90 @@ +From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:15 +0200 +Subject: [PATCH 1/4] fix ospp references + +--- + linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml +index c151d3c4aa1..f9b46c51ddd 100644 +--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml ++++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml +@@ -34,6 +34,7 @@ references: + disa: CCI-000213 + hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth + nist: AC-3 ++ ospp: FIA_UAU.1,FIA_AFL.1 + srg: SRG-OS-000480-GPOS-00227 + + ocil: |- + +From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:42 +0200 +Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp + +--- + products/rhel9/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index b47630c62b0..dcc41970043 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -115,7 +115,7 @@ selections: + - coredump_disable_storage + - coredump_disable_backtraces + - service_systemd-coredump_disabled +- - var_authselect_profile=sssd ++ - var_authselect_profile=minimal + - enable_authselect + - use_pam_wheel_for_su + + +From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:54 +0200 +Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp + +--- + products/rhel8/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile +index 39ad1797c7a..ebec8a3a6f9 100644 +--- a/products/rhel8/profiles/ospp.profile ++++ b/products/rhel8/profiles/ospp.profile +@@ -220,7 +220,7 @@ selections: + - var_accounts_max_concurrent_login_sessions=10 + - accounts_max_concurrent_login_sessions + - securetty_root_login_console_only +- - var_authselect_profile=sssd ++ - var_authselect_profile=minimal + - enable_authselect + - var_password_pam_unix_remember=5 + - accounts_password_pam_unix_remember + +From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 13:55:05 +0200 +Subject: [PATCH 4/4] update profile stability test + +--- + tests/data/profile_stability/rhel8/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 5d73a8c6fef..21e93e310d5 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -242,7 +242,7 @@ selections: + - var_slub_debug_options=P + - var_auditd_flush=incremental_async + - var_accounts_max_concurrent_login_sessions=10 +-- var_authselect_profile=sssd ++- var_authselect_profile=minimal + - var_password_pam_unix_remember=5 + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted diff --git a/SOURCES/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch b/SOURCES/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch new file mode 100644 index 0000000..20b17ab --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch @@ -0,0 +1,302 @@ +From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 27 Jul 2022 13:49:05 +0200 +Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp + +--- + products/rhel9/profiles/ospp.profile | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index dcc41970043..0902abf58db 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -110,10 +110,7 @@ selections: + - package_gnutls-utils_installed + + ### Login +- - disable_users_coredumps + - sysctl_kernel_core_pattern +- - coredump_disable_storage +- - coredump_disable_backtraces + - service_systemd-coredump_disabled + - var_authselect_profile=minimal + - enable_authselect + +From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 3 Aug 2022 12:17:27 +0200 +Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL + +actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template. +I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers. +--- + shared/templates/sysctl/oval.template | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 1a7c4979bbe..e0c6f72f928 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -17,13 +17,8 @@ + {{% endif %}} + {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} +-{{%- if SYSCTLVAL == "" -%}} +- ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$ +- 1 +-{{%- else -%}} + ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$ + 1 +-{{%- endif -%}} + {{%- endmacro -%}} + {{%- if "P" in FLAGS -%}} + + +From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 3 Aug 2022 13:00:45 +0200 +Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid + +--- + .../sysctl_kernel_core_uses_pid/rule.yml | 36 +++++++++++++++++++ + 2 files changed, 36 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +new file mode 100644 +index 00000000000..7fa36fb940e +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure file name of core dumps' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}' ++ ++rationale: |- ++ The default coredump filename is
core
. By setting ++
core_uses_pid
to
1
, the coredump filename becomes ++
core.PID
. If
core_pattern
does not include ++
%p
(default does not) and
core_uses_pid
is set, then ++
.PID
will be appended to the filename. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel9: CCE-86003-1 ++ ++references: ++ ospp: FMT_SMF_EXT.1 ++ ++ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement' ++ ++ocil: |- ++ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}} ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: kernel.core_uses_pid ++ datatype: int ++ sysctlval: '0' + +From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 09:08:37 +0200 +Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string + +--- + .../rule.yml | 49 +++++++++++++++++++ + 2 files changed, 49 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml +new file mode 100644 +index 00000000000..089bb1481aa +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml +@@ -0,0 +1,49 @@ ++documentation_complete: true ++ ++prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Disable storing core dumps' ++ ++description: |- ++ The kernel.core_pattern option specifies the core dumpfile pattern ++ name. It can be set to an empty string ''. In this case, the kernel ++ behaves differently based on another related option. If ++ kernel.core_uses_pid is set to 1, then a file named as ++ .PID (where PID is process ID of the crashed process) is ++ created in the working directory. If kernel.core_uses_pid is set to ++ 0, no coredump is saved. ++ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}' ++ ++rationale: |- ++ A core dump includes a memory image taken at the time the operating system ++ terminates an application. The memory image could contain sensitive data and is generally useful ++ only for developers trying to debug problems. ++ ++severity: medium ++ ++requires: ++ - sysctl_kernel_core_uses_pid ++ ++conflicts: ++ - sysctl_kernel_core_pattern ++ ++identifiers: ++ cce@rhel9: CCE-86005-6 ++ ++references: ++ ospp: FMT_SMF_EXT.1 ++ ++ocil_clause: |- ++ the returned line does not have a value of ''. ++ ++ocil: | ++ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}} ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: kernel.core_pattern ++ sysctlval: "''" ++ datatype: string + +From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 10:40:47 +0200 +Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile + +--- + products/rhel9/profiles/ospp.profile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 0902abf58db..b1b18261d48 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -110,7 +110,8 @@ selections: + - package_gnutls-utils_installed + + ### Login +- - sysctl_kernel_core_pattern ++ - sysctl_kernel_core_pattern_empty_string ++ - sysctl_kernel_core_uses_pid + - service_systemd-coredump_disabled + - var_authselect_profile=minimal + - enable_authselect + +From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 3 Aug 2022 13:01:12 +0200 +Subject: [PATCH 6/8] describe beneficial dependency between + sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid + +--- + .../sysctl_kernel_core_uses_pid/rule.yml | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +index 7fa36fb940e..d6d2c468c10 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps' + description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}' + + rationale: |- +- The default coredump filename is
core
. By setting +-
core_uses_pid
to
1
, the coredump filename becomes +-
core.PID
. If
core_pattern
does not include +-
%p
(default does not) and
core_uses_pid
is set, then +-
.PID
will be appended to the filename. ++ The default coredump filename is core. By setting ++ core_uses_pid to 1, the coredump filename becomes ++ core.PID. If core_pattern does not include ++ %p (default does not) and core_uses_pid is set, then ++ .PID will be appended to the filename. ++ When combined with kernel.core_pattern = "" configuration, it ++ is ensured that no core dumps are generated and also no confusing error ++ messages are printed by a shell. + + severity: medium + + +From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 10:53:37 +0200 +Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with + sysctl_kernel_core_pattern_empty_string + +they are modifying the same configuration +--- + .../restrictions/sysctl_kernel_core_pattern/rule.yml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +index 771c4d40e0f..c27a9e7ecf3 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +@@ -13,6 +13,9 @@ rationale: |- + + severity: medium + ++conflicts: ++ - sysctl_kernel_core_pattern_empty_string ++ + identifiers: + cce@rhcos4: CCE-82527-3 + cce@rhel8: CCE-82215-5 + +From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 9 Aug 2022 16:43:20 +0200 +Subject: [PATCH 8/8] fix ocils + +--- + .../restrictions/sysctl_kernel_core_pattern/rule.yml | 5 ++++- + .../restrictions/sysctl_kernel_core_uses_pid/rule.yml | 4 ++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +index c27a9e7ecf3..1a540ce20b3 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +@@ -29,7 +29,10 @@ references: + stigid@ol8: OL08-00-010671 + stigid@rhel8: RHEL-08-010671 + +-ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement' ++ocil_clause: |- ++ the returned line does not have a value of "|/bin/false", or a line is not ++ returned and the need for core dumps is not documented with the Information ++ System Security Officer (ISSO) as an operational requirement + + ocil: | + {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}} +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +index d6d2c468c10..8f51f97c16c 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +@@ -24,10 +24,10 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + +-ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement' ++ocil_clause: 'the returned line does not have a value of 0' + + ocil: |- +- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}} ++ {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}} + + platform: machine + diff --git a/SOURCES/scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch b/SOURCES/scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch new file mode 100644 index 0000000..457d139 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch @@ -0,0 +1,826 @@ +From 796d3630621847b478896ee4a773cdb605821882 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 18 Aug 2022 13:06:49 +0200 +Subject: [PATCH 1/8] Create custom sysctl_kernel_core_pattern_empty_string + content. + +--- + .../ansible/shared.yml | 32 +++ + .../bash/shared.sh | 60 +++++ + .../oval/shared.xml | 221 ++++++++++++++++++ + .../rule.yml | 23 +- + .../tests/correct_value.pass.sh | 10 + + .../tests/wrong_value.fail.sh | 10 + + .../tests/wrong_value_three_entries.fail.sh | 11 + + .../tests/wrong_value_two_entries.fail.sh | 10 + + products/rhel9/profiles/ospp.profile | 2 +- + 9 files changed, 366 insertions(+), 13 deletions(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +new file mode 100644 +index 00000000000..a6e7bf54b56 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +@@ -0,0 +1,32 @@ ++# platform = multi_platform_all ++# reboot = true ++# strategy = disable ++# complexity = low ++# disruption = medium ++- name: List /etc/sysctl.d/*.conf files ++ find: ++ paths: ++ - /etc/sysctl.d/ ++ - /run/sysctl.d/ ++ contains: ^[\s]*kernel.core_pattern.*$ ++ patterns: '*.conf' ++ file_type: any ++ register: find_sysctl_d ++- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf ++ files ++ replace: ++ path: '{{ item.path }}' ++ regexp: ^[\s]*kernel.core_pattern ++ replace: '#kernel.core_pattern' ++ loop: '{{ find_sysctl_d.files }}' ++- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files ++ replace: ++ path: /etc/sysctl.conf ++ regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+ ++ replace: '#kernel.core_pattern' ++- name: Ensure sysctl kernel.core_pattern is set to empty ++ sysctl: ++ name: kernel.core_pattern ++ value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces ++ state: present ++ reload: true +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh +new file mode 100644 +index 00000000000..989987250bc +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh +@@ -0,0 +1,60 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# reboot = true ++# strategy = disable ++# complexity = low ++# disruption = medium ++# Remediation is applicable only in certain platforms ++if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then ++ ++# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files ++ ++for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do ++ ++ matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq ) ++ if ! test -z "$matching_list"; then ++ while IFS= read -r entry; do ++ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") ++ # comment out "kernel.core_pattern" matches to preserve user data ++ sed -i "s/^${escaped_entry}$/# &/g" $f ++ done <<< "$matching_list" ++ fi ++done ++ ++# ++# Set runtime for kernel.core_pattern ++# ++/sbin/sysctl -q -n -w kernel.core_pattern="" ++ ++# ++# If kernel.core_pattern present in /etc/sysctl.conf, change value to empty ++# else, add "kernel.core_pattern =" to /etc/sysctl.conf ++# ++# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. ++# Otherwise, regular sed command will do. ++sed_command=('sed' '-i') ++if test -L "/etc/sysctl.conf"; then ++ sed_command+=('--follow-symlinks') ++fi ++ ++# Strip any search characters in the key arg so that the key can be replaced without ++# adding any search characters to the config file. ++stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern") ++ ++# shellcheck disable=SC2059 ++printf -v formatted_output "%s=" "$stripped_key" ++ ++# If the key exists, change it. Otherwise, add it to the config_file. ++# We search for the key string followed by a word boundary (matched by \>), ++# so if we search for 'setting', 'setting2' won't match. ++if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then ++ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") ++ "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf" ++else ++ # \n is precaution for case where file ends without trailing newline ++ ++ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf" ++fi ++ ++else ++ >&2 echo 'Remediation is not applicable, nothing was done' ++fi +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml +new file mode 100644 +index 00000000000..39654259dcb +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml +@@ -0,0 +1,221 @@ ++ ++ ++ ++ ++ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} ++ ++ ++ ++ ++ ++ ++ ++ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ kernel.core_pattern ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ local_var_sysctl_kernel_core_pattern_empty_string_counter ++ ++ ++ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered ++ state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ var_obj_symlink_sysctl_kernel_core_pattern_empty_string ++ var_obj_blank_sysctl_kernel_core_pattern_empty_string ++ ++ ++ ++ ++ local_var_blank_path_sysctl_kernel_core_pattern_empty_string ++ ++ ++ ++ ++ ++ ++ ++ local_var_symlinks_sysctl_kernel_core_pattern_empty_string ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string ++ ++ ++ ++ ++ ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string ++ object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string ++ ++ ++ ++ ++ ++ object_static_sysctl_sysctl_kernel_core_pattern_empty_string ++ object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string ++ ++ ++ ++ ++ ++ object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string ++ ++ ++ ++ ++ ++ /etc/sysctl.conf ++ ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ ++ 1 ++ ++ ++ ++ /etc/sysctl.d ++ ^.*\.conf$ ++ ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ ++ 1 ++ ++ ++ ++ /run/sysctl.d ++ ^.*\.conf$ ++ ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml +index dc21f53c98c..2babb28e361 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml +@@ -1,18 +1,18 @@ + documentation_complete: true + +-prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Disable storing core dumps' + + description: |- + The kernel.core_pattern option specifies the core dumpfile pattern +- name. It can be set to an empty string ''. In this case, the kernel ++ name. It can be set to an empty string. In this case, the kernel + behaves differently based on another related option. If + kernel.core_uses_pid is set to 1, then a file named as + .PID (where PID is process ID of the crashed process) is + created in the working directory. If kernel.core_uses_pid is set to + 0, no coredump is saved. +- {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}' ++ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="") }}} + + rationale: |- + A core dump includes a memory image taken at the time the operating system +@@ -30,17 +30,16 @@ conflicts: + identifiers: + cce@rhel9: CCE-86005-6 + ++references: ++ ospp: FMT_SMF_EXT.1 ++ + ocil_clause: |- +- the returned line does not have a value of ''. ++ the returned line does not have an empty string + + ocil: | +- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}} ++ The runtime status of the kernel.core_pattern kernel parameter can be queried ++ by running the following command: ++
$ sysctl kernel.core_pattern | cat -A
++ kernel.core_pattern = $ + + platform: machine +- +-template: +- name: sysctl +- vars: +- sysctlvar: kernel.core_pattern +- sysctlval: "''" +- datatype: string +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh +new file mode 100644 +index 00000000000..71f0f5db142 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.core_pattern/d" /etc/sysctl.conf ++echo "kernel.core_pattern=" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.core_pattern="" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh +new file mode 100644 +index 00000000000..1c5fabcc136 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.core_pattern/d" /etc/sysctl.conf ++echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.core_pattern="|/bin/false" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh +new file mode 100644 +index 00000000000..e56e927ec56 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.core_pattern/d" /etc/sysctl.conf ++echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf ++echo "kernel.core_pattern=" >> /etc/sysctl.conf ++echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.core_pattern="" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh +new file mode 100644 +index 00000000000..6c065b1e038 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.core_pattern/d" /etc/sysctl.conf ++echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf ++echo "kernel.core_pattern=" >> /etc/sysctl.conf ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.core_pattern="" +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 9fdd1354e38..b1b18261d48 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -110,7 +110,7 @@ selections: + - package_gnutls-utils_installed + + ### Login +- - sysctl_kernel_core_pattern ++ - sysctl_kernel_core_pattern_empty_string + - sysctl_kernel_core_uses_pid + - service_systemd-coredump_disabled + - var_authselect_profile=minimal + +From a77abaf442d411fe7bc59e94a1c0330163e03a16 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 25 Aug 2022 11:13:04 +0200 +Subject: [PATCH 2/8] Make the conflicts attribute appblicable only to RHEL9. + +The new rule empty is applicable only to RHEL9 and if there would not be +the restriction, then dangling references would be produced. +--- + .../restrictions/sysctl_kernel_core_pattern/rule.yml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +index 1a540ce20b3..e369854060b 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +@@ -13,8 +13,10 @@ rationale: |- + + severity: medium + ++{{% if product in ["rhel9"] %}} + conflicts: + - sysctl_kernel_core_pattern_empty_string ++{{% endif %}} + + identifiers: + cce@rhcos4: CCE-82527-3 + +From ec71ac98b89cc8295324c90b1610a5ff01126895 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 25 Aug 2022 11:16:41 +0200 +Subject: [PATCH 3/8] Switch bash remediation applicable to all products in + sysctl_kernel_core_pattern_empty_string. + +--- + .../sysctl_kernel_core_pattern_empty_string/bash/shared.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh +index 989987250bc..9e84d41056d 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle ++# platform = multi_platform_all + # reboot = true + # strategy = disable + # complexity = low + +From bac544446d3c5a1d87a2b4934cbb94ebc00d2ce9 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 25 Aug 2022 11:23:04 +0200 +Subject: [PATCH 4/8] Address feedback. + +--- + .../ansible/shared.yml | 3 +++ + .../oval/shared.xml | 19 +++++-------------- + 2 files changed, 8 insertions(+), 14 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +index a6e7bf54b56..22a8d99dae8 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +@@ -12,6 +12,7 @@ + patterns: '*.conf' + file_type: any + register: find_sysctl_d ++ + - name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf + files + replace: +@@ -19,11 +20,13 @@ + regexp: ^[\s]*kernel.core_pattern + replace: '#kernel.core_pattern' + loop: '{{ find_sysctl_d.files }}' ++ + - name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files + replace: + path: /etc/sysctl.conf + regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+ + replace: '#kernel.core_pattern' ++ + - name: Ensure sysctl kernel.core_pattern is set to empty + sysctl: + name: kernel.core_pattern +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml +index 39654259dcb..1c3bbfd9a3e 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml +@@ -10,7 +10,9 @@ + definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/> + + +- ++ ++ ++ + + {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}} + +@@ -23,21 +25,15 @@ + comment="kernel runtime parameter kernel.core_pattern set to an empty string" + check="all" check_existence="all_exist" state_operator="OR"> + +- + +- + + + + kernel.core_pattern + + +- + +- +- +- ++ + + + +@@ -53,18 +49,17 @@ + test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/> + +- + + + + + ++ + + + +- + + + ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ + + +- + + + +@@ -189,7 +183,6 @@ + + + object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string +- + + + +@@ -213,9 +206,7 @@ + 1 + + +- + +- + + + + +From 39bb8e75c95c469a4f6428664f24f7f9688ffa87 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 25 Aug 2022 14:46:15 +0200 +Subject: [PATCH 5/8] Fix test parse affected to support OVAL with multiple + def-group tags. + +--- + tests/test_parse_affected.py | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py +index 8407794b972..947b56636c0 100755 +--- a/tests/test_parse_affected.py ++++ b/tests/test_parse_affected.py +@@ -3,6 +3,7 @@ + from __future__ import print_function + + import os ++import re + import sys + + import ssg.constants +@@ -73,19 +74,24 @@ def parse_affected(cur_dir, env_yaml): + if not xml_content: + continue + +- oval_contents = ssg.utils.split_string_content(xml_content) ++ # split multiple def group into a list so multiple definitions in one OVAL also work ++ # this findall does not preserv the tag but it's not necessary for the ++ # purpose of the test ++ xml_content_list = re.findall(r'(.+?)', xml_content, re.DOTALL) ++ for item in xml_content_list: ++ oval_contents = ssg.utils.split_string_content(item) + +- try: +- results = ssg.oval.parse_affected(oval_contents) ++ try: ++ results = ssg.oval.parse_affected(oval_contents) + +- assert len(results) == 3 +- assert isinstance(results[0], int) +- assert isinstance(results[1], int) ++ assert len(results) == 3 ++ assert isinstance(results[0], int) ++ assert isinstance(results[1], int) + +- except ValueError as e: +- print("No element found in file {}. " +- " Parsed XML was:\n{}".format(oval, xml_content)) +- raise e ++ except ValueError as e: ++ print("No element found in file {}. " ++ " Parsed XML was:\n{}".format(oval, item)) ++ raise e + + + if __name__ == "__main__": + +From 8d6176c1f96f983aaa0134d19cc66fd3c7b29e15 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 25 Aug 2022 15:14:57 +0200 +Subject: [PATCH 6/8] Fix ansible remediation to preserve old non compliant + values. + +Comment out any offending line. +--- + .../ansible/shared.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +index 22a8d99dae8..f4dc5110fee 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +@@ -24,8 +24,8 @@ + - name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files + replace: + path: /etc/sysctl.conf +- regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+ +- replace: '#kernel.core_pattern' ++ regexp: '^[\s]*kernel.core_pattern([ \t]*=[ \t]*\S+)' ++ replace: '#kernel.core_pattern\1' + + - name: Ensure sysctl kernel.core_pattern is set to empty + sysctl: + +From c5bcea37000f54f3273d529237e02fe0979e6d6d Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 25 Aug 2022 15:20:41 +0200 +Subject: [PATCH 7/8] Fix PEP8 issue. + +--- + tests/test_parse_affected.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py +index 947b56636c0..53690df5ce1 100755 +--- a/tests/test_parse_affected.py ++++ b/tests/test_parse_affected.py +@@ -90,7 +90,7 @@ def parse_affected(cur_dir, env_yaml): + + except ValueError as e: + print("No element found in file {}. " +- " Parsed XML was:\n{}".format(oval, item)) ++ " Parsed XML was:\n{}".format(oval, item)) + raise e + + + +From 243347ad56fcd4f83f0b77e9b3b7fcd98d0d4acb Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 25 Aug 2022 16:31:31 +0200 +Subject: [PATCH 8/8] Add more test scenarios for + sysctl_kernel_core_pattern_empty_string. + +--- + .../tests/correct_value_with_spaces.pass.sh | 10 ++++++++++ + .../tests/wrong_value_d_directory.fail.sh | 9 +++++++++ + .../tests/wrong_value_runtime.fail.sh | 10 ++++++++++ + 3 files changed, 29 insertions(+) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh +new file mode 100644 +index 00000000000..b6688e6ca91 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.core_pattern/d" /etc/sysctl.conf ++echo "kernel.core_pattern= " >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.core_pattern="" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh +new file mode 100644 +index 00000000000..6c574b92762 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.core_pattern/d" /etc/sysctl.conf ++echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/98-sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.core_pattern="" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh +new file mode 100644 +index 00000000000..8c729677b86 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.core_pattern/d" /etc/sysctl.conf ++echo "kernel.core_pattern=" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.core_pattern="|/bin/false" diff --git a/SOURCES/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch b/SOURCES/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch new file mode 100644 index 0000000..57e9182 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch @@ -0,0 +1,47 @@ +From 21124e8524967788d4c95d47dd41259a0c7f958c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 20 Jul 2022 14:18:13 +0200 +Subject: [PATCH] change remediations to include the "=" sign + +--- + .../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++-- + .../crypto/configure_openssl_crypto_policy/bash/shared.sh | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +index c335a9e7fa2..852ca18cf79 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +@@ -20,7 +20,7 @@ + lineinfile: + create: yes + insertafter: '^\s*\[\s*crypto_policy\s*]\s*' +- line: ".include /etc/crypto-policies/back-ends/opensslcnf.config" ++ line: ".include = /etc/crypto-policies/back-ends/opensslcnf.config" + path: {{{ openssl_cnf_path }}} + when: + - test_crypto_policy_group.stdout is defined +@@ -29,7 +29,7 @@ + - name: "Add crypto_policy group and set include opensslcnf.config" + lineinfile: + create: yes +- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config" ++ line: "[crypto_policy]\n.include = /etc/crypto-policies/back-ends/opensslcnf.config" + path: {{{ openssl_cnf_path }}} + when: + - test_crypto_policy_group.stdout is defined +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh +index 21edb780a2f..79eb5cff189 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh +@@ -2,8 +2,8 @@ + + OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' + OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' +-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' +-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$' ++OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config' ++OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$' + + {{% if 'sle' in product %}} + {{% set openssl_cnf_path="/etc/ssl/openssl.cnf" %}} diff --git a/SOURCES/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch b/SOURCES/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch new file mode 100644 index 0000000..00f27c1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch @@ -0,0 +1,29 @@ +From eef5cb155b9f820439ca32f993cebf1f68b29e80 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 28 Jul 2022 15:08:15 +0200 +Subject: [PATCH] Remove a confusing sentence + +In the rule description, there are 2 conflicting sentences, they +both start by "By default ...", but they negate each other. +In fact, the second of them is true, so the first one could be +removed. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092799 +--- + .../accounts-physical/require_singleuser_auth/rule.yml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +index 932d76c36d9..332712ea1dd 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +@@ -8,8 +8,7 @@ title: 'Require Authentication for Single User Mode' + description: |- + Single-user mode is intended as a system recovery + method, providing a single user root access to the system by +- providing a boot option at startup. By default, no authentication +- is performed if single-user mode is selected. ++ providing a boot option at startup. +

+ By default, single-user mode is protected by requiring a password and is set + in /usr/lib/systemd/system/rescue.service. diff --git a/SOURCES/scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch b/SOURCES/scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch new file mode 100644 index 0000000..668459b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch @@ -0,0 +1,48 @@ +From d76e93e697755e63d5c833747adef4af23c3256b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 22 Aug 2022 13:51:28 +0200 +Subject: [PATCH 1/2] switch sysctl_kernel_core_pattern_empty_string for + sysctl_kernel_core_pattern + +--- + products/rhel9/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index b1b18261d48..9fdd1354e38 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -110,7 +110,7 @@ selections: + - package_gnutls-utils_installed + + ### Login +- - sysctl_kernel_core_pattern_empty_string ++ - sysctl_kernel_core_pattern + - sysctl_kernel_core_uses_pid + - service_systemd-coredump_disabled + - var_authselect_profile=minimal + +From d304b9f0037bfac6e20b1365e0d320f714ce09a3 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 22 Aug 2022 13:51:55 +0200 +Subject: [PATCH 2/2] remove ospp reference from + sysctl_kernel_core_pattern_empty_string + +--- + .../sysctl_kernel_core_pattern_empty_string/rule.yml | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml +index 089bb1481aa..dc21f53c98c 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml +@@ -30,9 +30,6 @@ conflicts: + identifiers: + cce@rhel9: CCE-86005-6 + +-references: +- ospp: FMT_SMF_EXT.1 +- + ocil_clause: |- + the returned line does not have a value of ''. + diff --git a/SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch b/SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch new file mode 100644 index 0000000..9651d1d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch @@ -0,0 +1,60 @@ +From be2aba89ab61767fd301ee1ac4f4e64bf5a66887 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 11 Aug 2022 16:53:48 +0200 +Subject: [PATCH] add 4 rules back to RHEL9 datastream + +--- + .../services/kerberos/package_krb5-server_removed/rule.yml | 2 +- + .../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +- + .../guide/services/obsolete/nis/package_ypserv_removed/rule.yml | 2 +- + .../system-tools/package_krb5-workstation_removed/rule.yml | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml +index 78577046409..17d742d9692 100644 +--- a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml ++++ b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9 + + title: 'Remove the Kerberos Server Package' + +diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +index d8a3910ff4d..9be95ffed5c 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 ++prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Remove NIS Client' + +diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +index ee7ccb2d8da..0f7ad7c0431 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 ++prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 + + title: 'Uninstall ypserv Package' + +diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml +index 7a02459825d..4750fd6b266 100644 +--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8 ++prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9 + + title: 'Uninstall krb5-workstation Package' + diff --git a/SOURCES/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch b/SOURCES/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch new file mode 100644 index 0000000..1f8f5b0 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch @@ -0,0 +1,1888 @@ +From 81c2f59f42ffa2cf5a611eaeccc40c802bedd6d7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 8 Jul 2022 17:51:57 +0200 +Subject: [PATCH 01/23] Remove a rule from RHEL 9 OSPP + +Remove rule sysctl_net_core_bpf_jit_harden from RHEL 9 OSPP. This rule +requires to set net.core.bpf_jit_harden value to 2, the RHEL 9 default +is 1. However, bpf_jit_harden=1 disables kallsyms access from bpf +programs and all users, and it turns on constants blinding by using +random value + XOR for CAP_BPF; so the only thing in which value 1 and 2 +differ is the constants blinding for CAP_SYS_ADMIN processes in the +initial user namespaces. The extra constants blinding with +bpf_jit_harden=2 does not really help with CVE mitigation. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2081728 +--- + products/rhel9/profiles/ospp.profile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 244a421fb48..a7ba9532d2c 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -75,7 +75,6 @@ selections: + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces + - sysctl_kernel_unprivileged_bpf_disabled +- - sysctl_net_core_bpf_jit_harden + - service_kdump_disabled + + ### Audit + +From bdcd2bafe5dd68448c0fc13e1aa1be64df607c8f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 12 Jul 2022 11:24:42 +0200 +Subject: [PATCH 02/23] Rename IDs in sysctl OVAL template + +The sysctl template uses its sysctlvar parameter value as a part of OVAL +object IDs, test IDs and state IDs. That means we can't have multiple +rules using the sysctl template with the same value of sysctlvar +parameter (only differ in other parameters) because there would be +duplicate elements. We will fix this by using the rule ID as a part of +OVAL object IDs, test IDs and state IDs. That will allow to use the +template for the same sysctlvar in different rules. +--- + .../oval/sysctl_kernel_ipv6_disable.xml | 4 +- + shared/templates/sysctl/oval.template | 156 +++++++++--------- + 2 files changed, 80 insertions(+), 80 deletions(-) + +diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +index 1195cea518f..f971d28a047 100644 +--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml ++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +@@ -19,8 +19,8 @@ + + + +- +- ++ ++ + + + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 74583dbee1d..52671c06402 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -5,8 +5,8 @@ + {{%- endif %}} + + {{% macro state_static_sysctld(prefix) -%}} +- +- ++ ++ + {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} + {{%- if SYSCTLVAL == "" -%}} +@@ -20,13 +20,13 @@ + {{%- if "P" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}} + + ++ definition_ref="{{{ rule_id }}}_static"/> + ++ definition_ref="{{{ rule_id }}}_runtime"/> + + + +@@ -34,7 +34,7 @@ + {{%- elif "I" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} + + {{% if product in ["ubuntu1604", "ubuntu1804"] %}} +@@ -46,9 +46,9 @@ + {{% endif %}} + + ++ definition_ref="{{{ rule_id }}}_static"/> + ++ definition_ref="{{{ rule_id }}}_runtime"/> + + + +@@ -58,33 +58,33 @@ + {{%- if "R" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} + + ++ test_ref="test_{{{ rule_id }}}_runtime"/> + + +- +- +- ++ ++ + + +- ++ + {{{ SYSCTLVAR }}} + + {{% if SYSCTLVAL == "" %}} +- ++ + ++ var_ref="{{{ rule_id }}}_value"/> + + +- + {{%- else %}} +- ++ + {{% if OPERATION == "pattern match" %}} + {{{ SYSCTLVAL_REGEX }}} +@@ -100,46 +100,46 @@ + {{%- if "S" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} + + + ++ test_ref="test_{{{ rule_id }}}_static"/> + + ++ test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/> + ++ test_ref="test_{{{ rule_id }}}_static_run_sysctld"/> + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + ++ test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/> + {{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} +- ++ + {{% endif %}} + + + +- + {{{ state_static_sysctld("sysctl") }}} + + +- + {{{ state_static_sysctld("etc_sysctld") }}} + + +- + {{{ state_static_sysctld("run_sysctld") }}} + + + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- + {{{ state_static_sysctld("usr_lib_sysctld") }}} +@@ -148,79 +148,79 @@ + + {{% if target_oval_version >= [5, 11] %}} + +- +- ++ id="test_{{{ rule_id }}}_defined_in_one_file" version="1"> ++ ++ + + +- +- local_var_unique_sysctl_{{{ SYSCTLID }}}_counter ++ ++ local_var_{{{ rule_id }}}_counter + + +- ++ + 1 + + +- ++ + + +- ++ + + + + +- ++ + +- object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}} +- state_{{{ SYSCTLID }}}_filepath_is_symlink ++ object_{{{ rule_id }}}_static_set_sysctls_unfiltered ++ state_{{{ rule_id }}}_filepath_is_symlink + + + +- +- ++ ++ + + +- ++ + +- ++ + +- ++ + + + +- ++ + +- var_obj_symlink_{{{ SYSCTLID }}} +- var_obj_blank_{{{ SYSCTLID }}} ++ var_obj_symlink_{{{ rule_id }}} ++ var_obj_blank_{{{ rule_id }}} + + + +- +- local_var_blank_path_{{{ SYSCTLID }}} ++ ++ local_var_blank_path_{{{ rule_id }}} + + +- ++ + + + +- +- local_var_symlinks_{{{ SYSCTLID }}} ++ ++ local_var_symlinks_{{{ rule_id }}} + +- ++ + +- ++ + +- ++ + + + + +- +- +- state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}} ++ ++ ++ state_symlink_points_outside_usual_dirs_{{{ rule_id }}} + + + +- ++ + ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ + + {{% endif %}} + +- +- ++ ++ + + + +- ++ + +- object_static_etc_sysctls_{{{ SYSCTLID }}} +- object_static_run_usr_sysctls_{{{ SYSCTLID }}} ++ object_static_etc_sysctls_{{{ rule_id }}} ++ object_static_run_usr_sysctls_{{{ rule_id }}} + + + +- ++ + +- object_static_sysctl_{{{ SYSCTLID }}} +- object_static_etc_sysctld_{{{ SYSCTLID }}} ++ object_static_sysctl_{{{ rule_id }}} ++ object_static_etc_sysctld_{{{ rule_id }}} + + + +- ++ + +- object_static_run_sysctld_{{{ SYSCTLID }}} ++ object_static_run_sysctld_{{{ rule_id }}} + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- object_static_usr_lib_sysctld_{{{ SYSCTLID }}} ++ object_static_usr_lib_sysctld_{{{ rule_id }}} + {{% endif %}} + + + +- ++ + /etc/sysctl.conf + {{{ sysctl_match() }}} + + +- ++ + /etc/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} + + +- ++ + /run/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} + + + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- ++ + /usr/lib/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} +@@ -288,15 +288,15 @@ + {{% endif %}} + {{% if SYSCTLVAL == "" %}} + +- +- ++ + + +- + {{% else %}} +- ++ + {{% if OPERATION == "pattern match" %}} + {{{ SYSCTLVAL_REGEX }}} + {{% else %}} + +From ee5d91aaf33504e56b6959c17c8ebc6006a17a5f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 10:16:45 +0200 +Subject: [PATCH 03/23] Use a list of values in sysctl template + +This patch adds an ability to use a list of values instead of a single +value in the sysctlval parameter of the sysctl template. This is useful +for situations when we want to create a rule that passes for multiple +different sysctl values. This commit modifies the OVAL for the runtime +configuration. The runtime configuration will be allowed to be any of +the values in the list. There is an OR relation between the values. In +fact, this is a first step to enable multiple values in the sysctlval +parameter in the sysctl template, because we will also need to check the +static configuration, which is not done in this commit. +--- + shared/templates/sysctl/oval.template | 32 +++++++++++++++++++++++++++ + shared/templates/sysctl/template.py | 24 ++++++++++++-------- + 2 files changed, 47 insertions(+), 9 deletions(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 52671c06402..b73ccc94f72 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -1,5 +1,7 @@ + {{%- if SYSCTLVAL == "" %}} + {{%- set COMMENT_VALUE="the appropriate value" %}} ++{{%- elif SYSCTLVAL is sequence %}} ++{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} + {{%- else %}} + {{%- set COMMENT_VALUE=SYSCTLVAL %}} + {{%- endif %}} +@@ -60,21 +62,43 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} ++{{% if SYSCTLVAL is string %}} + + + ++{{% elif SYSCTLVAL is sequence %}} ++ ++{{% for x in SYSCTLVAL %}} ++ ++{{% endfor %}} ++ ++{{% endif %}} + ++ ++{{% if SYSCTLVAL is string %}} + + + + ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++{{% endfor %}} ++{{% endif %}} + + + {{{ SYSCTLVAR }}} + ++{{% if SYSCTLVAL is string %}} + {{% if SYSCTLVAL == "" %}} + + + {{%- endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ {{{ x }}} ++ ++{{% endfor %}} ++{{% endif %}} + + + {{%- endif -%}} +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index fa981a9dce9..c62591357c0 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -12,6 +12,13 @@ def preprocess(data, lang): + if "operation" not in data: + data["operation"] = "equals" + ++ if data["datatype"] not in ["string", "int"]: ++ raise ValueError( ++ "Test scenarios for data type '{0}' are not implemented yet.\n" ++ "Please check if rule '{1}' has correct data type and edit " ++ "{2} to add tests for it.".format( ++ data["datatype"], data["_rule_id"], __file__)) ++ + # Configure data for test scenarios + if data["sysctlval"] == "": + if data["datatype"] == "int": +@@ -20,20 +27,19 @@ def preprocess(data, lang): + elif data["datatype"] == "string": + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" +- else: ++ elif isinstance(data["sysctlval"], list): ++ if len(data["sysctlval"]) == 0: + raise ValueError( +- "Test scenarios for data type '{0}' are not implemented yet.\n" +- "Please check if rule '{1}' has correct data type and edit " +- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) ++ "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) ++ data["sysctl_correct_value"] = data["sysctlval"][0] ++ if data["datatype"] == "int": ++ data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] ++ elif data["datatype"] == "string": ++ data["sysctl_wrong_value"] = "wrong_value" + else: + data["sysctl_correct_value"] = data["sysctlval"] + if data["datatype"] == "int": + data["sysctl_wrong_value"] = "1" + data["sysctlval"] + elif data["datatype"] == "string": + data["sysctl_wrong_value"] = "wrong_value" +- else: +- raise ValueError( +- "Test scenarios for data type '{0}' are not implemented yet.\n" +- "Please check if rule '{1}' has correct data type and edit " +- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) + return data + +From c50304234dfac1dcd74b3056c978eec2c097216d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 10:47:51 +0200 +Subject: [PATCH 04/23] Move check unrelated to the test scenarios + +The check for an mepty list is unrelated to the test scenarios, +rather is a generic check to avoid problems during the build. +Therefore, it shouldn't be inside code block that is handling +data for test scenarios, but can be extracted to a sooner position. +--- + shared/templates/sysctl/template.py | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index c62591357c0..421e42c6ca1 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -11,7 +11,12 @@ def preprocess(data, lang): + data["flags"] = "SR" + ipv6_flag + if "operation" not in data: + data["operation"] = "equals" ++ if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0: ++ raise ValueError( ++ "The sysctlval parameter of {0} is an empty list".format( ++ data["_rule_id"])) + ++ # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( + "Test scenarios for data type '{0}' are not implemented yet.\n" +@@ -19,7 +24,6 @@ def preprocess(data, lang): + "{2} to add tests for it.".format( + data["datatype"], data["_rule_id"], __file__)) + +- # Configure data for test scenarios + if data["sysctlval"] == "": + if data["datatype"] == "int": + data["sysctl_correct_value"] = "0" +@@ -28,9 +32,6 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- if len(data["sysctlval"]) == 0: +- raise ValueError( +- "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) + data["sysctl_correct_value"] = data["sysctlval"][0] + if data["datatype"] == "int": + data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] + +From eb1fe4f349e2dcadd9b870e074e679383601be62 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 11:57:50 +0200 +Subject: [PATCH 05/23] Allow multiple values in sysctl static configuration + +This extends the OVAL checks for sysctl static configuration +to enable a list of values instead of a single value in the +sysctlval parameter of the sysctl template. The template +will generate OVAL tests for each value in the sysctlval +list. +--- + shared/templates/sysctl/oval.template | 56 +++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index b73ccc94f72..4e1bf3cfce3 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -136,6 +136,7 @@ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} + + ++{{% if SYSCTLVAL is string %}} + + +@@ -146,6 +147,21 @@ + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + ++{{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} ++ ++{{% endif %}} ++{{% endfor %}} + {{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} +@@ -154,6 +170,7 @@ + + + ++{{% if SYSCTLVAL is string %}} + +@@ -177,6 +194,37 @@ + {{{ state_static_sysctld("usr_lib_sysctld") }}} + + {{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} ++ ++ ++ ++ ++{{% endif %}} ++{{% endfor %}} ++{{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} + + {{% endif %}} ++{{% if SYSCTLVAL is string %}} + {{% if SYSCTLVAL == "" %}} + + +@@ -336,5 +385,12 @@ + {{% endif %}} + + {{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ {{{ x }}} ++ ++{{% endfor %}} ++{{% endif %}} + + {{%- endif -%}} + +From 93d496fb8dda6c47707e27c0b2cad15616261f27 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 14:55:28 +0200 +Subject: [PATCH 06/23] Add option to allow system default + +Introduce new template option `missing_static_pass` to the +systemctl template. If this option is set to `"true"` in rule.yml +the OVAL will be generated in a way that the check will pass if +there is no sysctl static configuration option in the watched sysctl +configuration files. In other words, the OVAL check will pass if +the system default isn't overridden. +--- + shared/templates/sysctl/oval.template | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 4e1bf3cfce3..1719a59f9c7 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -134,6 +134,9 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++{{% endif %}} + + + {{% if SYSCTLVAL is string %}} +@@ -168,8 +171,20 @@ + + {{% endif %}} + ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++ ++{{% endif %}} + + ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++ ++ ++{{% endif %}} ++ + {{% if SYSCTLVAL is string %}} + +Date: Wed, 13 Jul 2022 17:02:35 +0200 +Subject: [PATCH 07/23] Accept multiple values in the sysctl remediation + +A new parameter sysctlval_remediate is introduced to the sysctl +template. This allows to choose which of the multiple values in +the sysctl list will be used in the Bash and Ansible remediations. +--- + docs/templates/template_reference.md | 8 ++++++++ + shared/templates/sysctl/ansible.template | 6 +++--- + shared/templates/sysctl/bash.template | 10 +++++----- + shared/templates/sysctl/template.py | 9 +++++++++ + 4 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index a439e3dca94..5785f1d453f 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -818,6 +818,14 @@ The selected value can be changed in the profile (consult the actual variable fo + - **sysctlval** - value of the sysctl value, eg. `'1'`. If this + parameter is not specified, XCCDF Value is used instead. + ++ - **sysctlval_remediate** - the value that will be used in remediations. ++ If **sysctlval_remediate** is not specified, the template will use the ++ value of the **sysctlval** parameter in the remediations. ++ This parameter is mandatory when the **sysctlval** parameter is a list ++ because we need to know which of the values in the list the system ++ should be remedied to. When the **sysctlval** parameter is not a list ++ this parameter is optional. ++ + - **operation** - operation used for comparison of collected object + with **sysctlval**. Default value: `equals`. + +diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template +index c13bb6637fe..7724db5e5ff 100644 +--- a/shared/templates/sysctl/ansible.template ++++ b/shared/templates/sysctl/ansible.template +@@ -21,7 +21,7 @@ + replace: '#{{{ SYSCTLVAR }}}' + loop: "{{ find_sysctl_d.files }}" + +-{{%- if SYSCTLVAL == "" %}} ++{{%- if SYSCTLVAL_REMEDIATE == "" %}} + - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) + + - name: Ensure sysctl {{{ SYSCTLVAR }}} is set +@@ -29,10 +29,10 @@ + name: "{{{ SYSCTLVAR }}}" + value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" + {{%- else %}} +-- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} ++- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} + sysctl: + name: "{{{ SYSCTLVAR }}}" +- value: "{{{ SYSCTLVAL }}}" ++ value: "{{{ SYSCTLVAL_REMEDIATE }}}" + {{%- endif %}} + state: present + reload: yes +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index d67a59c3886..63948bd5a26 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do + fi + done + +-{{%- if SYSCTLVAL == "" %}} ++{{%- if SYSCTLVAL_REMEDIATE == "" %}} + {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} + + # +@@ -38,11 +38,11 @@ done + # + # Set runtime for {{{ SYSCTLVAR }}} + # +-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" ++/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" + + # +-# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" +-# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf ++# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" ++# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf + # +-{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} ++{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} + {{%- endif %}} +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 421e42c6ca1..2574d5d42b0 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -16,6 +16,15 @@ def preprocess(data, lang): + "The sysctlval parameter of {0} is an empty list".format( + data["_rule_id"])) + ++ if not data.get("sysctlval_remediate"): ++ if isinstance(data["sysctlval"], list): ++ raise ValueError( ++ "Problem with rule {0}: the 'sysctlval' parameter is a list " ++ "but we are missing the 'sysctlval_remediate' parameter, so " ++ "we don't know how to generate remediation content.".format( ++ data["_rule_id"])) ++ data["sysctlval_remediate"] = data["sysctlval"] ++ + # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( + +From 8a3ba3f74760b360e179da221acf7bb06f4bdc12 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 17:10:16 +0200 +Subject: [PATCH 08/23] Introduce new rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +This rule is very similar to the existing rule +sysctl_kernel_unprivileged_bpf_disabled, but it allows the sysctl +setting kernel.unprivileged_bpf_disabled to be either 1 or 2. Also, the +rule will pass when the explicit configuration isn't present, allowing +to honor the system's default value which is 2. The goal of this rule is +to prevent unnecessary modification of the RHEL system default value +while still checking for the secure configuration. + +See the explanation in +https://bugzilla.redhat.com/show_bug.cgi?id=2081728: +sysctl_kernel_unprivileged_bpf_disabled sets the +kernel.unprivileged_bpf_disabled value to 1. However, on RHEL 9 the +kernel supports new value 2 which per +https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled +makes it for a privileged admin to re-enable unprivileged BPF. The value +2 is also the RHEL 9 default. So the current +sysctl_kernel_unprivileged_bpf_disabled rule unnecessarily modifies +the RHEL 9 default. +--- + .../rule.yml | 82 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 1 - + 2 files changed, 82 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +new file mode 100644 +index 00000000000..f45769dd2d0 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -0,0 +1,82 @@ ++documentation_complete: true ++ ++prodtype: rhel9 ++ ++title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes' ++ ++description: |- ++ To prevent unprivileged processes from using the bpf() syscall ++ the kernel.unprivileged_bpf_disabled kernel parameter must ++ be set to 1 or 2. ++ ++ Writing 1 to this entry will disable unprivileged calls to bpf(); once ++ disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. ++ Once set to 1, this can't be cleared from the running kernel anymore. ++ ++ Writing 2 to this entry will also disable unprivileged calls to bpf(), ++ however, an admin can still change this setting later on, if needed, by ++ writing 0 or 1 to this entry. ++ ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ ++rationale: |- ++ Loading and accessing the packet filters programs and maps using the bpf() ++ syscall has the potential of revealing sensitive information about the kernel state. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel9: CCE-87712-6 ++ ++references: ++ disa: CCI-000366 ++ nist: AC-6,SC-7(10) ++ ospp: FMT_SMF_EXT.1 ++ srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 ++ stigid@ol8: OL08-00-040281 ++ stigid@rhel8: RHEL-08-040281 ++ ++ocil: |- ++ The runtime status of the kernel.unprivileged_bpf_disabled ++ kernel parameter can be queried by running the following command: ++
$ sysctl kernel.unprivileged_bpf_disabled
++ The output of the command should indicate either: ++ kernel.unprivileged_bpf_disabled = 1 ++ or: ++ kernel.unprivileged_bpf_disabled = 2 ++ The output of the command should not indicate: ++ kernel.unprivileged_bpf_disabled = 0 ++ ++ The preferable way how to assure the runtime compliance is to have ++ correct persistent configuration, and rebooting the system. ++ ++ The persistent kernel parameter configuration is performed by specifying the appropriate ++ assignment in any file located in the
/etc/sysctl.d
directory. ++ Verify that there is not any existing incorrect configuration by executing the following command: ++
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
++ The command should not find any assignments other than: ++ kernel.unprivileged_bpf_disabled = 1 ++ or: ++ kernel.unprivileged_bpf_disabled = 2 ++ ++ Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2. ++ ++ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" ++ ++fixtext: |- ++ Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. ++ ++srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: kernel.unprivileged_bpf_disabled ++ sysctlval: ++ - '1' ++ - '2' ++ sysctlval_remediate: "2" ++ missing_static_pass: "true" ++ datatype: int +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 914233f06bf..2c2cf12cafe 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -1435,7 +1435,6 @@ CCE-87708-4 + CCE-87709-2 + CCE-87710-0 + CCE-87711-8 +-CCE-87712-6 + CCE-87713-4 + CCE-87714-2 + CCE-87715-9 + +From 0327b48990c2cf35aeff8adf63a2102378e43c54 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 17:21:50 +0200 +Subject: [PATCH 09/23] Add test scenarios for rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +--- + .../tests/system_default.pass.sh | 5 +++++ + .../tests/test_config.yml | 6 ++++++ + .../tests/value_0.fail.sh | 11 +++++++++++ + .../tests/value_1.pass.sh | 11 +++++++++++ + .../tests/value_2.pass.sh | 11 +++++++++++ + 5 files changed, 44 insertions(+) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +new file mode 100644 +index 00000000000..b9776227bdb +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +new file mode 100644 +index 00000000000..dbac89b4caa +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -0,0 +1,6 @@ ++deny_templated_scenarios: ++ - line_not_there.fail.sh ++ - comment.fail.sh ++ - wrong_value.fail.sh ++ - wrong_value_d_directory.fail.sh ++ - wrong_runtime.fail.sh +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +new file mode 100644 +index 00000000000..9f19e0140b4 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="0" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +new file mode 100644 +index 00000000000..e976db594c8 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="1" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +new file mode 100644 +index 00000000000..b1537175eb4 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="2" + +From 52415b3effb7bf80038b8d866982fd44c8c45312 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 09:14:53 +0200 +Subject: [PATCH 10/23] Use rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +Use rule sysctl_kernel_unprivileged_bpf_disabled_accept_default +instead of the rule sysctl_kernel_unprivileged_bpf_disabled +in the RHEL 9 OSPP profile. +--- + products/rhel9/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index a7ba9532d2c..19e4878c4b0 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -74,7 +74,7 @@ selections: + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces +- - sysctl_kernel_unprivileged_bpf_disabled ++ - sysctl_kernel_unprivileged_bpf_disabled_accept_default + - service_kdump_disabled + + ### Audit + +From 4ff536a006a9d25c9c90a1b1e5fce0f957c51c28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 09:25:26 +0200 +Subject: [PATCH 11/23] Document that sysctlval can be a list + +--- + docs/templates/template_reference.md | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 5785f1d453f..716407fd5c9 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -815,7 +815,8 @@ The selected value can be changed in the profile (consult the actual variable fo + + - **datatype** - data type of the sysctl value, eg. `int`. + +- - **sysctlval** - value of the sysctl value, eg. `'1'`. If this ++ - **sysctlval** - value of the sysctl value. This can be either an atomic ++ value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this + parameter is not specified, XCCDF Value is used instead. + + - **sysctlval_remediate** - the value that will be used in remediations. + +From df27fec11a6e8037288ee8cf5b7bfc7d05537f33 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:00:59 +0200 +Subject: [PATCH 12/23] Document the missing_static_pass option + +--- + docs/templates/template_reference.md | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 716407fd5c9..65da697b808 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -827,6 +827,11 @@ The selected value can be changed in the profile (consult the actual variable fo + should be remedied to. When the **sysctlval** parameter is not a list + this parameter is optional. + ++ - **missing_static_pass** - if set to `true` the check will pass if the ++ setting for the given **sysctlvar** is not present in sysctl ++ configuration files. In other words, the check will pass if the system ++ default isn't overriden by configuration. Default value: `false`. ++ + - **operation** - operation used for comparison of collected object + with **sysctlval**. Default value: `equals`. + + +From e8b8497d32d84282d7f34d83f3661c02235d33cb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:03:53 +0200 +Subject: [PATCH 13/23] Introduce sysctlval_wrong parameter + +When the `sysctalval` parameter is a list, this parameter will be +substitued into the SYSCTL_WRONG_VALUE parameter in test scenarios. This +is better than current computing of the SYSCTL_WRONG_VALUE parameter +which is done by prepending "1" to the string value, because the +computed value could be invalid and the `sysctl -w` command used in the +test scenario wrong_runtime.fail.sh could fail to set the value to +SYSCTL_WRONG_VALUE therefore not changing the runtime. If at the same +time the `missing_static_pass` is set to `true` and the system is set to +system default, then the unchanged runtime would cause the check to pass +and therefore the test scenario wrong_runtime.fail.sh to error. +--- + docs/templates/template_reference.md | 3 +++ + .../rule.yml | 1 + + shared/templates/sysctl/template.py | 7 ++----- + 3 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 65da697b808..7e1fc7049cf 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -827,6 +827,9 @@ The selected value can be changed in the profile (consult the actual variable fo + should be remedied to. When the **sysctlval** parameter is not a list + this parameter is optional. + ++ - **sysctlval_wrong** - the value that is always wrong. This will be used ++ only in the test scenarios only if **sysctlval** is a list. ++ + - **missing_static_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + configuration files. In other words, the check will pass if the system +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index f45769dd2d0..ddff15dff8f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -78,5 +78,6 @@ template: + - '1' + - '2' + sysctlval_remediate: "2" ++ sysctlval_wrong: "0" + missing_static_pass: "true" + datatype: int +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 2574d5d42b0..96663694997 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -41,11 +41,8 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- data["sysctl_correct_value"] = data["sysctlval"][0] +- if data["datatype"] == "int": +- data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] +- elif data["datatype"] == "string": +- data["sysctl_wrong_value"] = "wrong_value" ++ data["sysctl_correct_value"] = data["sysctlval_remediate"] ++ data["sysctl_wrong_value"] = data["sysctlval_wrong"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + if data["datatype"] == "int": + +From 5f391a7053f7ce18dd34c45a1d319d65b78348d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:23:59 +0200 +Subject: [PATCH 14/23] Change test_config.yml + +--- + .../tests/test_config.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +index dbac89b4caa..c379680e25c 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -1,6 +1,6 @@ + deny_templated_scenarios: ++ # this rule uses missing_static_pass: true which means the check should pass ++ # if the configuration is missing (or commented out) therefore we disable ++ # line_not_there.fail.sh and comment.fail.sh test scenarios + - line_not_there.fail.sh + - comment.fail.sh +- - wrong_value.fail.sh +- - wrong_value_d_directory.fail.sh +- - wrong_runtime.fail.sh + +From 92207a9bd11df0e69bf732e27fb91e5db270f7f6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 15 Jul 2022 10:36:05 +0200 +Subject: [PATCH 15/23] Simplify sysctl template + +Instead of using multiple OVAL tests in OR relation we can have +a single OVAL test containing multiple OVAL states in OR relation. +That will simplify the code. +--- + shared/templates/sysctl/oval.template | 82 +++++---------------------- + 1 file changed, 13 insertions(+), 69 deletions(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 1719a59f9c7..8241c391ad2 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -8,7 +8,13 @@ + + {{% macro state_static_sysctld(prefix) -%}} + ++{{% if SYSCTLVAL is string %}} + ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++{{% endfor %}} ++{{% endif %}} + {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} + {{%- if SYSCTLVAL == "" -%}} +@@ -62,38 +68,24 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} +-{{% if SYSCTLVAL is string %}} + + + +-{{% elif SYSCTLVAL is sequence %}} +- +-{{% for x in SYSCTLVAL %}} +- +-{{% endfor %}} +- +-{{% endif %}} + + +-{{% if SYSCTLVAL is string %}} + ++ check="all" check_existence="all_exist" state_operator="OR"> + ++{{% if SYSCTLVAL is string %}} + +- + {{% elif SYSCTLVAL is sequence %}} + {{% for x in SYSCTLVAL %}} +- +- + +- + {{% endfor %}} + {{% endif %}} ++ + + + {{{ SYSCTLVAR }}} +@@ -139,7 +131,6 @@ + {{% endif %}} + + +-{{% if SYSCTLVAL is string %}} + + +@@ -150,21 +141,6 @@ + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + +-{{% endif %}} +-{{% elif SYSCTLVAL is sequence %}} +-{{% for x in SYSCTLVAL %}} +- +- +- +- +-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- +-{{% endif %}} +-{{% endfor %}} + {{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} +@@ -185,61 +161,29 @@ +
+ {{% endif %}} + +-{{% if SYSCTLVAL is string %}} + ++ comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR"> + {{{ state_static_sysctld("sysctl") }}} + + + ++ comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("etc_sysctld") }}} + + + ++ comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("run_sysctld") }}} + + + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + ++ comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("usr_lib_sysctld") }}} + + {{% endif %}} +-{{% elif SYSCTLVAL is sequence %}} +-{{% for x in SYSCTLVAL %}} +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- +- +- +- +-{{% endif %}} +-{{% endfor %}} +-{{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} + +Date: Mon, 25 Jul 2022 15:40:24 +0200 +Subject: [PATCH 16/23] Replace the sysctlval_remediate template parameter + +Replace the sysctlval_remediate template parameter by using an XCCDF +value. The variable would be only used in the remediation and would +allow users to tailor the value, instead of the current solution where +the value is hardcoded and can be only changed during build time. +--- + docs/templates/template_reference.md | 21 +++++++++---------- + .../rule.yml | 1 - + products/rhel9/profiles/ospp.profile | 1 + + shared/templates/sysctl/ansible.template | 6 +++--- + shared/templates/sysctl/bash.template | 10 ++++----- + shared/templates/sysctl/template.py | 11 +--------- + 6 files changed, 20 insertions(+), 30 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 7e1fc7049cf..00f991daae7 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -815,17 +815,16 @@ The selected value can be changed in the profile (consult the actual variable fo + + - **datatype** - data type of the sysctl value, eg. `int`. + +- - **sysctlval** - value of the sysctl value. This can be either an atomic +- value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this +- parameter is not specified, XCCDF Value is used instead. +- +- - **sysctlval_remediate** - the value that will be used in remediations. +- If **sysctlval_remediate** is not specified, the template will use the +- value of the **sysctlval** parameter in the remediations. +- This parameter is mandatory when the **sysctlval** parameter is a list +- because we need to know which of the values in the list the system +- should be remedied to. When the **sysctlval** parameter is not a list +- this parameter is optional. ++ - **sysctlval** - value of the sysctl value. This can be either not ++ specified, or an atomic value, eg. `'1'`, or a list of values, ++ eg. `['1','2']`. ++ - If this parameter is not specified, an XCCDF Value is used instead ++ in OVAL check and remediations. ++ - If this parameter is set to an atomic value, this atomic value ++ will be used in OVAL check and remediations. ++ - If this parameter is set to a list of values, the list will be used ++ in the OVAL check, but won't be used in the remediations. ++ All remediations will use an XCCDF value instead. + + - **sysctlval_wrong** - the value that is always wrong. This will be used + only in the test scenarios only if **sysctlval** is a list. +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index ddff15dff8f..9936ed777c8 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -77,7 +77,6 @@ template: + sysctlval: + - '1' + - '2' +- sysctlval_remediate: "2" + sysctlval_wrong: "0" + missing_static_pass: "true" + datatype: int +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 19e4878c4b0..b47630c62b0 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -75,6 +75,7 @@ selections: + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces + - sysctl_kernel_unprivileged_bpf_disabled_accept_default ++ - sysctl_kernel_unprivileged_bpf_disabled_value=2 + - service_kdump_disabled + + ### Audit +diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template +index 7724db5e5ff..edc4d3fb667 100644 +--- a/shared/templates/sysctl/ansible.template ++++ b/shared/templates/sysctl/ansible.template +@@ -21,7 +21,7 @@ + replace: '#{{{ SYSCTLVAR }}}' + loop: "{{ find_sysctl_d.files }}" + +-{{%- if SYSCTLVAL_REMEDIATE == "" %}} ++{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} + - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) + + - name: Ensure sysctl {{{ SYSCTLVAR }}} is set +@@ -29,10 +29,10 @@ + name: "{{{ SYSCTLVAR }}}" + value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" + {{%- else %}} +-- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} ++- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} + sysctl: + name: "{{{ SYSCTLVAR }}}" +- value: "{{{ SYSCTLVAL_REMEDIATE }}}" ++ value: "{{{ SYSCTLVAL }}}" + {{%- endif %}} + state: present + reload: yes +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index 63948bd5a26..cd3424b0228 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do + fi + done + +-{{%- if SYSCTLVAL_REMEDIATE == "" %}} ++{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} + {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} + + # +@@ -38,11 +38,11 @@ done + # + # Set runtime for {{{ SYSCTLVAR }}} + # +-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" ++/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" + + # +-# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" +-# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf ++# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" ++# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf + # +-{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} ++{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} + {{%- endif %}} +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 96663694997..2b779f99a62 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -16,15 +16,6 @@ def preprocess(data, lang): + "The sysctlval parameter of {0} is an empty list".format( + data["_rule_id"])) + +- if not data.get("sysctlval_remediate"): +- if isinstance(data["sysctlval"], list): +- raise ValueError( +- "Problem with rule {0}: the 'sysctlval' parameter is a list " +- "but we are missing the 'sysctlval_remediate' parameter, so " +- "we don't know how to generate remediation content.".format( +- data["_rule_id"])) +- data["sysctlval_remediate"] = data["sysctlval"] +- + # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( +@@ -41,7 +32,7 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- data["sysctl_correct_value"] = data["sysctlval_remediate"] ++ data["sysctl_correct_value"] = data["sysctlval"][0] + data["sysctl_wrong_value"] = data["sysctlval_wrong"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + +From 817b47544b4a62aad8153360839bb14dd607d46d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 15:47:11 +0200 +Subject: [PATCH 17/23] Rename a template parameter + +Rename the sysctlval_wrong parameter to wrong_sysctlval_for_testing +--- + docs/templates/template_reference.md | 4 ++-- + .../rule.yml | 2 +- + shared/templates/sysctl/template.py | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 00f991daae7..4e6357c1579 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -826,8 +826,8 @@ The selected value can be changed in the profile (consult the actual variable fo + in the OVAL check, but won't be used in the remediations. + All remediations will use an XCCDF value instead. + +- - **sysctlval_wrong** - the value that is always wrong. This will be used +- only in the test scenarios only if **sysctlval** is a list. ++ - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used ++ only in the templated test scenarios only if **sysctlval** is a list. + + - **missing_static_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 9936ed777c8..b8af4f7560d 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -77,6 +77,6 @@ template: + sysctlval: + - '1' + - '2' +- sysctlval_wrong: "0" ++ wrong_sysctlval_for_testing: "0" + missing_static_pass: "true" + datatype: int +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 2b779f99a62..9083a6a4185 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -33,7 +33,7 @@ def preprocess(data, lang): + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): + data["sysctl_correct_value"] = data["sysctlval"][0] +- data["sysctl_wrong_value"] = data["sysctlval_wrong"] ++ data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + if data["datatype"] == "int": + +From ed48698e95f96891889fa2c2039172015ae9f069 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 15:56:26 +0200 +Subject: [PATCH 18/23] Rename parameter missing_static_pass + +Rename the parameter missing_static_pass to missing_parameter_pass +to make the naming consistent with other templates where a parameter +with a similar meaning exist. +--- + docs/templates/template_reference.md | 2 +- + .../rule.yml | 2 +- + .../tests/test_config.yml | 2 +- + shared/templates/sysctl/oval.template | 6 +++--- + 4 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 4e6357c1579..0fff58c0a23 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -829,7 +829,7 @@ The selected value can be changed in the profile (consult the actual variable fo + - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used + only in the templated test scenarios only if **sysctlval** is a list. + +- - **missing_static_pass** - if set to `true` the check will pass if the ++ - **missing_parameter_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + configuration files. In other words, the check will pass if the system + default isn't overriden by configuration. Default value: `false`. +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index b8af4f7560d..7d8769a913f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -78,5 +78,5 @@ template: + - '1' + - '2' + wrong_sysctlval_for_testing: "0" +- missing_static_pass: "true" ++ missing_parameter_pass: "true" + datatype: int +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +index c379680e25c..5cf68074050 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -1,5 +1,5 @@ + deny_templated_scenarios: +- # this rule uses missing_static_pass: true which means the check should pass ++ # this rule uses missing_parameter_pass: true which means the check should pass + # if the configuration is missing (or commented out) therefore we disable + # line_not_there.fail.sh and comment.fail.sh test scenarios + - line_not_there.fail.sh +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 8241c391ad2..1a7c4979bbe 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -126,7 +126,7 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + {{% endif %}} + +@@ -147,13 +147,13 @@ + + {{% endif %}} + +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + + {{% endif %}} + + +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + +From f022f549c6d0b5bc0d24c5d1b7c606d23efbd6d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 16:26:03 +0200 +Subject: [PATCH 19/23] Add a variable + sysctl_kernel_unprivileged_bpf_disabled_value + +--- + ..._kernel_unprivileged_bpf_disabled_value.var | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var +new file mode 100644 +index 00000000000..b8bf965a255 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var +@@ -0,0 +1,18 @@ ++documentation_complete: true ++ ++title: kernel.unprivileged_bpf_disabled ++ ++description: |- ++ Prevent unprivileged processes from using the bpf() syscall. ++ ++type: number ++ ++operator: equals ++ ++interactive: false ++ ++options: ++ default: 2 ++ 0: "0" ++ 1: "1" ++ 2: "2" + +From 4c8ef02cc91c821d56c061f6d8e2ba1675d0c414 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:09 +0200 +Subject: [PATCH 20/23] Improve documentation of the sysctl template + +--- + docs/templates/template_reference.md | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 0fff58c0a23..e73b95450fe 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -819,15 +819,19 @@ The selected value can be changed in the profile (consult the actual variable fo + specified, or an atomic value, eg. `'1'`, or a list of values, + eg. `['1','2']`. + - If this parameter is not specified, an XCCDF Value is used instead +- in OVAL check and remediations. ++ in OVAL check and remediations. The XCCDF Value should have a file ++ name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`, ++ where the `escaped_sysctlvar` is a value of the **sysctlvar** ++ parameter in which all characters that don't match the `\w` regular ++ expression are replaced by an underscore (`_`). + - If this parameter is set to an atomic value, this atomic value + will be used in OVAL check and remediations. + - If this parameter is set to a list of values, the list will be used + in the OVAL check, but won't be used in the remediations. + All remediations will use an XCCDF value instead. + +- - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used +- only in the templated test scenarios only if **sysctlval** is a list. ++ - **wrong_sysctlval_for_testing** - the value that is always wrong. This ++ will be used in templated test scenarios when **sysctlval** is a list. + + - **missing_parameter_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + +From 0f89cab50807ecf75269acc49e0c290c139beea6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:34 +0200 +Subject: [PATCH 21/23] Remove RHEL 8 STIG ID + +--- + .../rule.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 7d8769a913f..ec3b5aef82f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -33,8 +33,6 @@ references: + nist: AC-6,SC-7(10) + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 +- stigid@ol8: OL08-00-040281 +- stigid@rhel8: RHEL-08-040281 + + ocil: |- + The runtime status of the kernel.unprivileged_bpf_disabled + +From 5c2116eb08b84c43d644f6ce51744732a63fb206 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:47 +0200 +Subject: [PATCH 22/23] Fix a typo + +--- + .../rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index ec3b5aef82f..589deccb0c7 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -62,7 +62,7 @@ ocil: |- + ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" + + fixtext: |- +- Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. ++ Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall. + + srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' + + +From 22e5a11f3232234a939dc6a806752b1fa5c69ce4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 27 Jul 2022 10:36:04 +0200 +Subject: [PATCH 23/23] Mention both values 1 and 2 in the rule description + +--- + .../rule.yml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 589deccb0c7..259d1f901c6 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -13,11 +13,13 @@ description: |- + disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. + Once set to 1, this can't be cleared from the running kernel anymore. + ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ + Writing 2 to this entry will also disable unprivileged calls to bpf(), + however, an admin can still change this setting later on, if needed, by + writing 0 or 1 to this entry. + +- {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}} + + rationale: |- + Loading and accessing the packet filters programs and maps using the bpf() diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec new file mode 100644 index 0000000..89f26f7 --- /dev/null +++ b/SPECS/scap-security-guide.spec @@ -0,0 +1,539 @@ +# SSG build system and tests count with build directory name `build`. +# For more details see: +# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds +%global _vpath_builddir build +# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly + +Name: scap-security-guide +Version: 0.1.63 +Release: 5%{?dist} +Summary: Security guidance and baselines in SCAP formats +License: BSD-3-Clause +URL: https://github.com/ComplianceAsCode/content/ +Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +BuildArch: noarch + +Patch0: scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch +Patch1: scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch +Patch2: scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch +Patch3: scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch +Patch4: scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch +Patch5: scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch +Patch6: scap-security-guide-0.1.64-readd_rules-PR_9334.patch +Patch7: scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch +Patch8: scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch + +BuildRequires: libxslt +BuildRequires: expat +BuildRequires: openscap-scanner >= 1.2.5 +BuildRequires: cmake >= 2.8 +# To get python3 inside the buildroot require its path explicitly in BuildRequires +BuildRequires: /usr/bin/python3 +BuildRequires: python%{python3_pkgversion} +BuildRequires: python%{python3_pkgversion}-jinja2 +BuildRequires: python%{python3_pkgversion}-PyYAML +Requires: xml-common, openscap-scanner >= 1.2.5 + +%description +The scap-security-guide project provides a guide for configuration of the +system from the final system's security point of view. The guidance is specified +in the Security Content Automation Protocol (SCAP) format and constitutes +a catalog of practical hardening advice, linked to government requirements +where applicable. The project bridges the gap between generalized policy +requirements and specific implementation guidelines. The system +administrator can use the oscap CLI tool from openscap-scanner package, or the +scap-workbench GUI tool from scap-workbench package to verify that the system +conforms to provided guideline. Refer to scap-security-guide(8) manual page for +further information. + +%package doc +Summary: HTML formatted security guides generated from XCCDF benchmarks +Requires: %{name} = %{version}-%{release} + +%description doc +The %{name}-doc package contains HTML formatted documents containing +hardening guidances that have been generated from XCCDF benchmarks +present in %{name} package. + +%if ( %{defined rhel} && (! %{defined centos}) ) +%package rule-playbooks +Summary: Ansible playbooks per each rule. +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description rule-playbooks +The %{name}-rule-playbooks package contains individual ansible playbooks per rule. +%endif + +%prep +%autosetup -p1 + +%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF +%define cmake_defines_specific %{nil} +%if 0%{?rhel} +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON +%endif +%if 0%{?centos} +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON +%endif + +mkdir -p build +%build +%cmake %{cmake_defines_common} %{cmake_defines_specific} +%cmake_build + +%install +%cmake_install +rm %{buildroot}/%{_docdir}/%{name}/README.md +rm %{buildroot}/%{_docdir}/%{name}/Contributors.md + +%files +%{_datadir}/xml/scap/ssg/content +%{_datadir}/%{name}/kickstart +%{_datadir}/%{name}/ansible/*.yml +%lang(en) %{_mandir}/man8/scap-security-guide.8.* +%doc %{_docdir}/%{name}/LICENSE +%if ( %{defined rhel} && (! %{defined centos}) ) +%exclude %{_datadir}/%{name}/ansible/rule_playbooks +%endif + +%files doc +%doc %{_docdir}/%{name}/guides/*.html +%doc %{_docdir}/%{name}/tables/*.html + +%if ( %{defined rhel} && (! %{defined centos}) ) +%files rule-playbooks +%defattr(-,root,root,-) +%{_datadir}/%{name}/ansible/rule_playbooks +%endif + +%changelog +* Thu Aug 25 2022 Gabriel Becker - 0.1.63-5 +- OSPP: fix rule related to coredump (RHBZ#2081688) + +* Tue Aug 23 2022 Vojtech Polasek - 0.1.63-4 +- use sysctl_kernel_core_pattern rule again in RHEL9 OSPP (RHBZ#2081688) + +* Thu Aug 11 2022 Matej Tyc - 0.1.63-3 +- Readd rules to the benchmark to be compatible across all minor versions of RHEL9 (RHBZ#2117669) + +* Wed Aug 10 2022 Vojtech Polasek - 0.1.63-2 +- OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583) +- OSPP: update rules related to coredumps (RHBZ#2081688) +- OSPP: update rules related to BPF (RHBZ#2081728) +- fix description of require_singleuser_mode (RHBZ#2092799) +- fix remediation of OpenSSL cryptopolicy (RHBZ#2108569) +- OSPP: use minimal Authselect profile(RHBZ#2114979) + +* Mon Aug 01 2022 Vojtech Polasek - 0.1.63-1 +- Rebase to a new upstream release 0.1.63 (RHBZ#2070563) + +* Mon Jul 18 2022 Vojtech Polasek - 0.1.62-2 +- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719) +- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154) +- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049) +- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716) +- Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708) +- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809) +- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840) +- Remove rule accounts_password_minlen_login_defs from all profiles (RHBZ#2073040) +- Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016) +- Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278) +- Remove rules related to NIS services (RHBZ#2096602) +- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082) + +* Wed Jun 01 2022 Matej Tyc - 0.1.62-1 +- Rebase to a new upstream release (RHBZ#2070563) + +* Mon Feb 21 2022 Gabriel Becker - 0.1.60-5 +- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2056847) +- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014561) +- Update rule enable_fips_mode to check only for technical state (RHBZ#2057457) + +* Tue Feb 15 2022 Watson Sato - 0.1.60-4 +- Fix Ansible service disabled tasks (RHBZ#2014561) +- Update description of OSPP profile (RHBZ#2045386) +- Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118) + +* Mon Feb 14 2022 Gabriel Becker - 0.1.60-3 +- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403) +- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403) +- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2045403) +- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2014561) +- Update GRUB2 rule descriptions (RHBZ#2020623) +- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014561) + +* Fri Feb 11 2022 Watson Sato - 0.1.60-2 +- Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289) + +* Thu Jan 27 2022 Watson Sato - 0.1.60-1 +- Rebase to a new upstream release (RHBZ#2014561) + +* Wed Dec 08 2021 Gabriel Becker - 0.1.59-1 +- Rebase to a new upstream release (RHBZ#2014561) +- Enable Centos Stream 9 content (RHBZ#2021284) + +* Fri Oct 15 2021 Matej Tyc - 0.1.58-1 +- Rebase to a new upstream release (RHBZ#2014561) +- Disable profiles that we disable in RHEL8 +- Add a VM wait handling to fix issues with tests. + +* Wed Aug 25 2021 Matej Tyc - 0.1.57-5 +- Fix remediations applicability of zipl rules + Resolves: rhbz#1996847 + +* Tue Aug 24 2021 Matej Tyc - 0.1.57-4 +- Fix a broken HTTP link + Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage + Resolves: rhbz#1962564 + +* Tue Aug 17 2021 Matej Tyc - 0.1.57-3 +- Use SSHD directory-based configuration. + Resolves: rhbz#1962564 +- Introduce ISM kickstarts + Resolves: rhbz#1978290 +- Deliver numerous RHEL9 fixes to rules - see related BZs for details. + TLDR: Enable remediations by means of platform metadata, + enable the RHEL9 GPG rule, introduce the s390x platform, + fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location, + address the subscription-manager package merge, and + enable and select more rules applicable to RHEL9. + Resolves: rhbz#1987227 + Resolves: rhbz#1987226 + Resolves: rhbz#1987231 + Resolves: rhbz#1988289 + +* Tue Aug 10 2021 Mohan Boddu - 0.1.57-2 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 28 2021 Matej Tyc - 0.1.57-1 +- Upgrade to the latest upstream release +- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts. + +* Wed Jul 07 2021 Matej Tyc - 0.1.56-3 +- Introduced the playbooks subpackage. +- Enabled CentOS content on CentOS systems. +- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them. + +* Mon Jun 28 2021 Matej Tyc - 0.1.56-2 +- Enable more RHEL9 rules and introduce RHEL9 profile stubs + +* Wed May 19 2021 Jan Černý - 0.1.56-1 +- Upgrade to the latest upstream release +- remove README.md and Contributors.md +- remove SCAP component files +- remove SCAP 1.2 source data streams +- remove HTML guides for the virtual “(default)” profile +- remove profile Bash remediation scripts +- build only RHEL9 content +- remove other products +- use autosetup in %prep phase + +* Fri Apr 16 2021 Mohan Boddu - 0.1.54-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Fri Feb 12 2021 Vojtech Polasek - 0.1.54-2 +- fix definition of build directory + +* Fri Feb 05 2021 Vojtech Polasek - 0.1.54-1 +- Update to latest upstream SCAP-Security-Guide-0.1.54 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.54 + +* Wed Jan 27 2021 Fedora Release Engineering - 0.1.53-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Nov 16 2020 Vojtech Polasek - 0.1.53-1 +- Update to latest upstream SCAP-Security-Guide-0.1.53 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53 + +* Wed Sep 23 2020 Vojtech Polasek - 0.1.52-3 +- revert previous rework, it did not solve the problem + +* Wed Sep 23 2020 Vojtech Polasek - 0.1.52-2 +- rewrite solution for CMake out of source builds + +* Mon Sep 21 2020 Vojtech Polasek - 0.1.52-1 +- Update to latest upstream SCAP-Security-Guide-0.1.52 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52 + +* Tue Aug 04 2020 Jan Černý - 0.1.51-4 +- Update for new CMake out of source builds + https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds +- Fix FTBS in Rawhide/F33 (RHBZ#1863741) + +* Sat Aug 01 2020 Fedora Release Engineering - 0.1.51-3 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 0.1.51-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jul 17 2020 Vojtech Polasek - 0.1.51-1 +- Update to latest upstream SCAP-Security-Guide-0.1.51 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.51 + +* Mon Mar 23 2020 Watson Sato - 0.1.49-1 +- Update to latest upstream SCAP-Security-Guide-0.1.49 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.49 + +* Thu Jan 30 2020 Fedora Release Engineering - 0.1.48-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jan 16 2020 Watson Sato - 0.1.48-1 +- Update to latest upstream SCAP-Security-Guide-0.1.48 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48 + +* Mon Dec 09 2019 Matěj Týč - 0.1.47-2 +- Hotfix of the XML parsing fix. + +* Mon Dec 09 2019 Matěj Týč - 0.1.47-1 +- Update to latest upstream SCAP-Security-Guide-0.1.47 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.47 +- Fixed XML parsing of remediation functions. + +* Mon Jul 29 2019 Watson Sato - 0.1.45-1 +- Update to latest upstream SCAP-Security-Guide-0.1.45 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.45 + +* Fri Jul 26 2019 Fedora Release Engineering - 0.1.44-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon May 06 2019 Watson Yuuma Sato - 0.1.44-1 +- Update to latest upstream SCAP-Security-Guide-0.1.44 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44 + +* Fri Feb 22 2019 Watson Yuuma Sato - 0.1.43-1 +- Update to latest upstream SCAP-Security-Guide-0.1.43 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.43 +- Update URL and source URL + +* Sat Feb 02 2019 Fedora Release Engineering - 0.1.42-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Dec 12 2018 Watson Yuuma Sato - 0.1.42-1 +- Update to latest upstream SCAP-Security-Guide-0.1.42 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42 +- Fix man page build dependency on derivative content + +* Mon Oct 01 2018 Watson Yuuma Sato - 0.1.41-1 +- Update to latest upstream SCAP-Security-Guide-0.1.41 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41 +- Fix Licence of this package + +* Wed Jul 25 2018 Matěj Týč - 0.1.40-1 +- Update to latest upstream SCAP-Security-Guide-0.1.40 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.40 +- Update to use Python3 for build. + +* Sat Jul 14 2018 Fedora Release Engineering - 0.1.39-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri May 04 2018 Watson Yuuma Sato - 0.1.39-2 +- Add python version to python2-jinja2 package + +* Fri May 04 2018 Watson Yuuma Sato - 0.1.39-1 +- Update to latest upstream SCAP-Security-Guide-0.1.39 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39 + +* Mon Mar 05 2018 Watson Yuuma Sato - 0.1.38-2 +- Add python version to python package prefixes + +* Mon Mar 05 2018 Watson Yuuma Sato - 0.1.38-1 +- Update to latest upstream SCAP-Security-Guide-0.1.38 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38 + +* Fri Feb 09 2018 Fedora Release Engineering - 0.1.37-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 04 2018 Watson Yuuma Sato - 0.1.37-1 +- Update to latest upstream SCAP-Security-Guide-0.1.37 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37 + +* Wed Nov 01 2017 Watson Yuuma Sato - 0.1.36-1 +- Update to latest upstream SCAP-Security-Guide-0.1.36 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36 + +* Tue Aug 29 2017 Watson Sato - 0.1.35-1 +- Update to latest upstream SCAP-Security-Guide-0.1.35 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35 + +* Thu Jul 27 2017 Fedora Release Engineering - 0.1.34-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 03 2017 Watson Sato - 0.1.34-1 +- updated to latest upstream release + +* Mon May 01 2017 Martin Preisler - 0.1.33-1 +- updated to latest upstream release + +* Thu Mar 30 2017 Martin Preisler - 0.1.32-1 +- updated to latest upstream release + +* Sat Feb 11 2017 Fedora Release Engineering - 0.1.31-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-2 +- use make_build and make_install RPM macros + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-1 +- update to the latest upstream release +- new default location for content /usr/share/scap/ssg +- install HTML tables in the doc subpackage + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-2 +- Correct currently failing parallel SCAP Security Guide build + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-1 +- Update to latest upstream SCAP-Security-Guide-0.1.30 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30 +- Drop shell library for remediation functions since it is not required + starting from 0.1.30 release any more + +* Thu May 05 2016 Jan iankko Lieskovsky - 0.1.29-1 +- Update to latest upstream SCAP-Security-Guide-0.1.29 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29 +- Do not ship Firefox/DISCLAIMER documentation file since it has been removed + in 0.1.29 upstream release + +* Thu Feb 04 2016 Fedora Release Engineering - 0.1.28-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 20 2016 Šimon Lukašík - 0.1.28-1 +- upgrade to the latest upstream release + +* Fri Dec 11 2015 Šimon Lukašík - 0.1.27-1 +- update to the latest upstream release + +* Tue Oct 20 2015 Šimon Lukašík - 0.1.26-1 +- update to the latest upstream release + +* Sat Sep 05 2015 Šimon Lukašík - 0.1.25-1 +- update to the latest upstream release + +* Thu Jul 09 2015 Šimon Lukašík - 0.1.24-1 +- update to the latest upstream release +- created doc sub-package to ship all the guides +- start distributing centos and scientific linux content +- rename java content to jre + +* Fri Jun 19 2015 Fedora Release Engineering - 0.1.22-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 05 2015 Šimon Lukašík - 0.1.22-1 +- update to the latest upstream release +- only DataStream file is now available for Fedora +- start distributing security baseline for Firefox +- start distributing security baseline for Java RunTime deployments + +* Wed Mar 04 2015 Šimon Lukašík - 0.1.21-1 +- update to the latest upstream release +- move content to /usr/share/scap/ssg/content + +* Thu Oct 02 2014 Šimon Lukašík - 0.1.19-1 +- update to the latest upstream release + +* Mon Jul 14 2014 Šimon Lukašík - 0.1.5-4 +- require only openscap-scanner, not whole openscap-utils package + +* Tue Jul 01 2014 Šimon Lukašík - 0.1.5-3 +- Rebase the RHEL part of SSG to the latest upstream version (0.1.18) +- Add STIG DISCLAIMER to the shipped documentation + +* Sun Jun 08 2014 Fedora Release Engineering - 0.1.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Feb 27 2014 Jan iankko Lieskovsky 0.1.5-1 +- Fix fedora-srpm and fedora-rpm Make targets to work again +- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans +- EOL for Fedora 18 support +- Include Fedora datastream file for remote Fedora system scans + +* Mon Jan 06 2014 Jan iankko Lieskovsky 0.1.4-2 +- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14) + +* Fri Dec 20 2013 Jan iankko Lieskovsky 0.1.4-1 +- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move + it to /shared +- Add shared remediations for sshd disable empty passwords and + sshd set idle timeout +- Shared remediation for sshd disable root login +- Add empty -compat subpackage to ensure backward-compatibility with + openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335) +- OVAL check for sshd disable root login +- Fix typo in OVAL check for sshd disable empty passwords +- OVAL check for sshd disable empty passwords +- Unselect no shelllogin for systemaccounts rule from being run by default +- Rename XCCDF rules +- Revert Set up Fedora release name and CPE based on build system properties +- Shared OVAL check for Verify that Shared Library Files Have Root Ownership +- Shared OVAL check for Verify that System Executables Have Restrictive Permissions +- Shared OVAL check for Verify that System Executables Have Root Ownership +- Shared OVAL check for Verify that Shared Library Files Have Restrictive + Permissions +- Fix remediation for Disable Prelinking rule +- OVAL check and remediation for sshd's ClientAliveCountMax rule +- OVAL check for sshd's ClientAliveInterval rule +- Include descriptions for permissions section, and rules for checking + permissions and ownership of shared library files and system executables +- Disable selected rules by default +- Add remediation for Disable Prelinking rule +- Adjust service-enable-macro, service-disable-macro XSLT transforms + definition to evaluate to proper systemd syntax +- Fix service_ntpd_enabled OVAL check make validate to pass again +- Include patch from Šimon Lukašík to obsolete openscap-content + package (RH BZ#1028706) +- Add OVAL check to test if there's is remote NTP server configured for + time data +- Add system settings section for the guide (to track system wide + hardening configurations) +- Include disable prelink rule and OVAL check for it +- Initial OVAL check if ntpd service is enabled. Add package_installed + OVAL templating directory structure and functionality. +- Include services section, and XCCDF description for selected ntpd's + sshd's service rules +- Include remediations for login.defs' based password minimum, maximum and + warning age rules +- Include directory structure to support remediations +- Add SCAP "replace or append pattern value in text file based on variable" + remediation script generator +- Add remediation for "Set Password Minimum Length in login.defs" rule + +* Mon Nov 18 2013 Jan iankko Lieskovsky 0.1.3-1 +- Update versioning scheme - move fedorassgrelease to be part of + upstream version. Rename it to fedorassgversion to avoid name collision + with Fedora package release. + +* Tue Oct 22 2013 Jan iankko Lieskovsky 0.1-3 +- Add .gitignore for Fedora output directory +- Set up Fedora release name and CPE based on build system properties +- Use correct file paths in scap-security-guide(8) manual page + (RH BZ#1018905, c#10) +- Apply further changes motivated by scap-security-guide Fedora RPM review + request (RH BZ#1018905, c#8): + * update package description, + * make content files to be owned by the scap-security-guide package, + * remove Fedora release number from generated content files, + * move HTML form of the guide under the doc directory (together + with that drop fedora/content subdir and place the content + directly under fedora/ subdir). +- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905): + * drop Fedora release from package provided files' final path (c#5), + * drop BuildRoot, selected Requires:, clean section, drop chcon for + manual page, don't gzip man page (c#4), + * change package's description (c#4), + * include PD license text (#c4). + +* Mon Oct 14 2013 Jan iankko Lieskovsky 0.1-2 +- Provide manual page for scap-security-guide +- Remove percent sign from spec's changelog to silence rpmlint warning +- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora +- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora +- Introduce 'Account and Access Control' section +- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's + rules to Fedora +- Set proper name of the build directory in the spec's setup macro. +- Replace hard-coded paths with macros. Preserve attributes when copying files. + +* Tue Sep 17 2013 Jan iankko Lieskovsky 0.1-1 +- Initial Fedora SSG RPM.